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Preface 



Crypto 2001, the 21st Annual Crypto conference, was sponsored by the Inter- 
national Association for Cryptologic Research (lACR) in cooperation with the 
IEEE Computer Society Technical Committee on Security and Privacy and the 
Computer Science Department of the University of California at Santa Barbara. 

The conference received 156 submissions, of which the program committee 
selected 34 for presentation; one was later withdrawn. These proceedings contain 
the revised versions of the 33 submissions that were presented at the conference. 
These revisions have not been checked for correctness, and the authors bear full 
responsibility for the contents of their papers. 

The conference program included two invited lectures. Mark Sherwin spoke 
on, “Quantum information processing in semiconductors: an experimentalist’s 
view.” Daniel Weitzner spoke on, “Privacy, Authentication & Identity: A recent 
history of cryptographic struggles for freedom.” The conference program also 
included its perennial “rump session,” chaired by Stuart Haber, featuring short, 
informal talks on late-breaking research news. 

As I try to account for the hours of my life that flew off to oblivion, I realize 
that most of my time was spent cajoling talented innocents into spending even 
more time on my behalf. I have accumulated more debts than I can ever hope to 
repay. As mere statements of thanks are certainly insufficient, consider the rest 
of this preface my version of Chapter 11. 

I would like to first thank the many researchers from all over the world who 
submitted their work to this conference. Without them. Crypto is just a pile of 
shrimp and chocolate covered strawberries. 

I thank David Balenson, the general chair, for shielding me from innumerable 
logistical headaches, and showing great generosity in supporting my efforts. 

Selecting from so many submissions is a daunting task. My deepest thanks 
go to the members of the program committee, for their knowledge, wisdom, and 
near-masochistic work ethic. We in turn have relied heavily on the expertise of 
the many outside reviewers who assisted us in our deliberations. My thanks to 
all those listed on the following pages, and my thanks and apologies to any I 
have missed. 

I thank Rebecca Wright for hosting the program committee meeting in New 
York City, AT&T for providing the space, and Sandy Barbu for helping out 
with the local arrangements. Thanks also go to Ran Canetti, my favorite native 
culinary guide, wherever I go, for organizing the post-deliberations dinner. 

I thank the people who, by their past and continuing work, have greatly 
streamlined the submission and review process. All but one of the submissions 
were handled using Chanathip Namprempre’s web-based submission software. 
Reviews were administered using software written by Wim Moreau and Joris 
Claessens, developed under the guidance of Bart Preneel. These software packa- 
ges have made the process idiot proof, and nearly theorist-proof. My thanks also 
go to Sam Rebelsky for writing the email-based predecessor of the submission 
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Preface 



software. He and the other members of the SIGACT Electronic Publications 
Board have for many years made program committee chairs’ lives much more 
bearable. 

I am grateful to Mihir Bellare, last year’s program chair, and Kevin McCurley 
and Josh Benaloh, my main contacts with the lACR board, for patiently trying 
to teach me my job. 

Even if I can’t really account for what I, personally, was doing, the hours did 
go somewhere. I thank my boss, Peter Yianilos, for being so supportive of my 
efforts, and so absurdly forgiving of the time it has taken away from my work. 
Last, and more importantly, Pd like to thank my family, Dina, Gersh, and Pearl, 
for their support, understanding, and love. 

June 2001 Joe Kilian 
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On the (Im)possibility of Obfuscating Programs 

(Extended Abstract) 



Boaz Barak^, Oded Goldreich^, Rusell Impagliazzo^, Steven Rudich^, 
Amit Sahai"^, Salil Vadhan®, and Ke Yang^ 

^ Department of Computer Science, Weizmann Institute of Science, Rehovot, 
ISRAEL, {boaz , odedjOwisdom . weizmann .ac.il 
^ Department of Computer Science and Engineering, University of California, San 
Diego, La Jolla, CA 92093-0114. russell@cs.ucsd.edu 
® Computer Science Department, Carnegie Mellon University, 5000 Eorbes Ave. 
Pittsburgh, PA 15213. {rudich,yangke}@cs . emu. edu 
^ Department of Computer Science, Princeton University, 35 Olden St. Princeton, NJ 
08540. sahai@cs.princeton.edu 

® Division of Engineering and Applied Sciences, Harvard University, 33 Oxford 
Street, Cambridge, MA 02138. salil@eecs.harvard.edu 



Abstract. Informally, an obfuscator O is an (efficient, probabilistic) 
“compiler” that takes as input a program (or circuit) P and produces a 
new program 0{P) that has the same functionality as P yet is “unintel- 
ligible” in some sense. Obfuscators, if they exist, would have a wide vari- 
ety of cryptographic and complexity-theoretic applications, ranging from 
software protection to homomorphic encryption to complexity-theoretic 
analogues of Rice’s theorem. Most of these applications are based on an 
interpretation of the “unintelligibility” condition in obfuscation as mean- 
ing that 0{P) is a “virtual black box,” in the sense that anything one 
can efficiently compute given 0{P), one could also efficiently compute 
given oracle access to P. 

In this work, we initiate a theoretical investigation of obfuscation. Our 
main result is that, even under very weak formalizations of the above in- 
tuition, obfuscation is impossible. We prove this by constructing a family 
of functions T that are inherently unobf us eatable in the following sense: 
there is a property tt : JE — >• {0, 1} such that (a) given any program that 
computes a function f £ tF, the value ■7r(/) can be efficiently computed, 
yet (b) given oracle access to a (randomly selected) function f G F, no 
efficient algorithm can compute 7t(/) much better than random guessing. 
We extend our impossibility result in a number of ways, including even 
obfuscators that (a) are not necessarily computable in polynomial time, 
(b) only approximately preserve the functionality, and (c) only need to 
work for very restricted models of computation (TCq). We also rule 
out several potential applications of obfuscators, by constructing “unob- 
fuscatable” signature schemes, encryption schemes, and pseudorandom 
function families. 



J. Kilian (Ed.): CRYPTO 2001, LNCS 2139, pp. l-Q^l 2001. 
© Springer- Verlag Berlin Heidelberg 2001 
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1 Introduction 

The past few decades of cryptography research has had amazing success in 
putting most of the classical cryptographic problems — encryption, authenti- 
cation, protocols — on complexity-theoretic foundations. However, there still 
remain several important problems in cryptography about which theory has had 
little or nothing to say. One such problem is that of program obfuscation. Roughly 
speaking, the goal of (program) obfuscation is to make a program “unintelligi- 
ble” while preserving its functionality. Ideally, an obfuscated program should be 
a “virtual black box,” in the sense that anything one can compute from it one 
could also compute from the input-output behavior of the program. 

The hope that some form of obfuscation is possible arises from the fact that 
analyzing programs expressed in rich enough formalisms is hard. Indeed, any 
programmer knows that total unintelligibility is the natural state of computer 
programs (and one must work hard in order to keep a program from deterio- 
rating into this state). Theoretically, results such as Rice’s Theorem and the 
hardness of the Halting Problem and Satisfiability all seem to imply that 
the only useful thing that one can do with a program or circuit is to run it (on 
inputs of one’s choice). However, this informal statement is, of course, an over- 
generalization, and the existence of obfuscators requires its own investigation. 

To be a bit more clear (though still informal), an obfuscator O is an (effi- 
cient, probabilistic) “compiler” that takes as input a program (or circuit) P and 
produces a new program 0{P) satisfying the following two conditions: 

— (functionality) 0{P) computes the same function as P. 

— (“virtual black box” property) “Anything that can be efficiently computed 
from 0{P) can be efficiently computed given oracle access to P.” 

While there are heuristic approaches to obfuscation in practice (cf.. Figure E 
and there has been little theoretical work on this problem. This is 

unfortunate, since obfuscation, if it were possible, would have a wide variety of 
cryptographic and complexity-theoretic applications. 



#include<stdio .h> #include<string.h> main () fchcir*0 ,1 [999] = 
‘acgo\177~ Ixp .-\0R“8)NJ6y.K40+A2M(*0ID57$3GlFBL";while(0= 
f gets (1+45 ,954, stdin) ){*1=0 [strlen(O) [0-1] =0, strspn(0 , 1+11)] ; 
while (*0) switch ( (*l&&isalmim(*0) )- ! *l){case-l : -[char*I=(0+= 
strspn(0,l+12) + l)-2,0=34;while(*I&3M(0=(0-16«l)+*I— ’-’)<80) ; 
putchar(0&93?*I&8| I ! ( I=memchr( 1 , 0 , 44 ) ) 1-1+47 : 32) ; 

break;case 1: ;I*1=(*0&31) [1-15+(*D>61)*32] ;while(putchar (45+*l"/,2) , 
(*1=*1+32»1)>35) ;case 0:putchar((++0,32)) ;}-putchar(10) ;}} 



Fig. 1. The winning entry of the 1998 International Obfuscated C Code Contest, an 
ASCII/Morse code translator by Frans van Dorsselaer |vD^ (adapted for this paper). 
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In this work, we initiate a theoretical investigation of obfuscation. We exam- 
ine various formalizations of the notion, in an attempt to understand what we 
can and cannot hope to achieve. Our main result is a negative one, showing that 
obfuscation (as it is typically understood) is impossible. Before describing this 
result and others in more detail, we outline some of the potential applications 
of obfuscators, both for motivation and to clarify the notion. 



1.1 Some Applications of Obfuscators 

Software Protection. The most direct applications of obfuscators are for various 
forms of software protection. By definition, obfuscating a program protects it 
against reverse engineering. For example, if one party, Alice, discovers a more 
efficient algorithm for factoring integers, she may wish to sell another party. Bob, 
a program for apparently weaker tasks (such as breaking the RSA cryptosystem) 
that use the factoring algorithm as a subroutine without actually giving Bob a 
factoring algorithm. Alice could hope to achieve this by obfuscating the program 
she gives to Bob. 

Intuitively, obfuscators would also be useful in watermarking software (cf., 
| |( f I'OOINSSffflp . A software vendor could modify a program’s behavior in a way 
that uniquely identifies the person to whom it is sold, and then obfuscate the 
program to guarantee that this “watermark” is difficult to remove. 



Homomorphic Encryption. A long-standing open problem is whether homomor- 
phic encryption schemes exist (cf., |HAD781FM91IDDJN0niBL9filSY Ylinj 'l. That 
is, we seek a secure public-key cryptosystem for which, given encryptions of two 
bits (and the public key), one can compute an encryption of any binary Boolean 
operation of those bits. Obfuscators would allow one to convert any public-key 
cryptosystem into a homomorphic one: use the secret key to construct an al- 
gorithm that performs the required computations (by decrypting, applying the 
Boolean operation, and encrypting the result), and publish an obfuscation of 
this algorithm together with the public key0 



Removing Random Oracles. The Random Oracle Model |BB93| is an idealized 
cryptographic setting in which all parties have access to a truly random function. 
It is (heuristically) hoped that protocols designed in this model will remain 
secure when implemented using an efficient, publicly computable cryptographic 
hash function in place of the random function. While it is known that this 
is not true in general mm, it is unknown whether there exist efficiently 
computable functions with strong enough properties to be securely used in place 
of the random function in various specific protocols (e.g., in Fiat-Shamir type 
schemes IFbbTl b One might hope to obtain such functions by obfuscating a 

^ There is a subtlety here, caused by the fact that encryption algorithms must be 
probabilistic to be semantically secnre in the usual sense mm- However, both 
the “functionality” and “virtual black box” properties of obfuscators become more 
complex for probabilistic algorithms, so in this work, we restrict our attention to 
obfuscating deterministic algorithms. This restriction only makes our main (impos- 
sibility) result stronger. 
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family of pseudorandom functions j(f(f M8 (t] . whose input-output behavior is by 
definition indistinguishable from that of a truly random function. 

Transforming Private-Key Encryption into Public-Key Encryption. Obfuscation 
can also be used to create new public-key encryption schemes by obfuscating a 
private-key encryption scheme. Given a secret key K of a, private-key encryption 
scheme, one can publish an obfuscation of the encryption algorithm EnCicQ This 
allows everyone to encrypt, yet only one possessing the secret key K should be 
able to decrypt. 



1.2 Our Results 

The Basic Impossibility Result. Most of the above applications rely on the in- 
tuition that an obfuscated program is a “virtual black box.” That is, anything 
one can efficiently compute from the obfuscated program, one should be able to 
efficiently compute given just oracle access to the program. 

Our main result shows that it is impossible to achieve this notion of obfus- 
cation. We prove this by constructing (from any one-way function) a family T 
of functions which is inherently unobfuscatable in the sense that there is some 
property tt : E — {0, 1} such that: 

— Given any program (circuit) that computes a function f G E, the value 7r(/) 
can be efficiently computed; 

— Yet, given oracle access to a (randomly selected) function f G E, no efficient 
algorithm can compute 7t(/) much better than by random guessing. 

Thus, there is no way of obfuscating the programs that compute these func- 
tions, even if (a) the obfuscation is meant to hide only one bit of information 
about the function (namely 7r(/)), and (b) the obfuscator itself has unbounded 
computation time. 

We believe that the existence of such functions shows that the “virtual black 
box” paradigm for obfuscators is inherently flawed. Any hope for positive re- 
sults about obfuscator-like objects must abandon this viewpoint, or at least be 
reconciled with the existence of functions as above. 

Approximate Obfuscators. The basic impossibility result as described above ap- 
plies to obfuscators O for which we require that the obfuscated program 0{P) 
computes exactly the same function as the original program P. However, for 
some applications it may suffice that, for every input x, 0{P) and P agree on x 
with high probability (over the coin tosses of O). Using some additional ideas, 
our impossibility result extends to such approximate obfuscators. 

^ This application involves the same subtlety pointed out in FootnoteQ Thus, our re- 
sults regarding the (un)obfuscatability of private-key encryption schemes (described 
later) refer to a relaxed notion of security in which multiple encryptions of the same 
message are not allowed (which is consistent with a deterministic encryption algo- 
rithm). 
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Impossibility of Applications. To give further evidence that our impossibility 
result is not an artifact of definitional choices, but rather that there is some- 
thing inherently flawed in the “virtual black box” idea, we also demonstrate 
that several of the applications of obfuscators are also impossible. We do this by 
constructing inherently unobfus eatable signature schemes, encryption schemes, 
and pseudorandom functions. These are objects satisfying the standard defini- 
tions of security (except for the subtlety noted in Footnote E|) , but for which 
one can efficiently compute the secret key K from any program that signs (or 
encrypts or evaluates the pseudorandom function, resp.) relative to K. (Hence 
handing out “obfuscated forms” of these keyed-algorithms is highly insecure.) 

In particular, we complement Canetti et. al.’s critique of the Random Oracle 
Methodology jCGH98j . They show that there exist (contrived) protocols that are 
secure in the idealized Random Oracle Model (of [HKD,'-!] ), but are insecure when 
the random oracle is replaced with any (efficiently computable) function. Our 
results imply that for even for natural protocols that are secure in the random 
oracle model (e.g., Fiat-Shamir type schemes jFS87j l. there exist (contrived) 
pseudorandom functions, such that these protocols are insecure when the random 
oracle is replaced with any program that computes the contrived function. 

Obfuscating restricted complexity classes. Even though obfuscation of general 
programs/circuits is impossible, one may hope that it is possible to obfuscate 
more restricted classes of computations. However, using the pseudorandom func- 
tions of in our construction, we can show that the impossibility result 

holds even when the input program P is a constant-depth threshold circuit (i.e., 
is in TCo), under widely believed complexity assumptions (e.g., the hardness of 
factoring) . 

Obfuscating Sampling Algorithms. Another way in which the notion of obfusca- 
tors can be weakened is by changing the functionality requirement. Until now, 
we have considered programs in terms of the functions they compute, but some- 
times one is interested in other kinds of behavior. For example, one sometimes 
considers sampling algorithms, i.e. probabilistic programs that take no input 
(other than, say, a length parameter) and produce an output according to some 
desired distribution. We consider two natural definitions of obfuscators for sam- 
pling algorithms, and prove that the stronger definition is impossible to meet. 
We also observe that the weaker definition implies the nontriviality of statistical 
zero knowledge. 

Software Watermarking. As mentioned earlier, there appears to be some con- 
nection between the problems of softwa re watermarking and code obfuscation. 
In the full version of the paper jBGI+OH . we consider a couple of formalizations 
of the watermarking problem and explore their relationship to our results on 
obfuscation. 

1.3 Discussion 

Our work rules out the standard, “virtual black box” notion of obfuscators as 
impossible, along with several of its applications. However, it does not mean that 
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there is no method of making programs “unintelligible” in some meaningful and 
precise sense. Such a method could still prove useful for software protection. 

Thus, we consider it to be both important and interesting to understand 
whether there are alternative senses (or models) in which some form of obfusca- 
tion is possible. Towards this end, in the full version of the paper we suggest two 
weaker definitions of obfuscators that avoid the “virtual black box” paradigm 
(and hence are not ruled out by our impossibility proof). These definitions could 
be the subject of future investigations, but we hope that other alternatives will 
also be proposed and examined. 

As is usually the case with impossibility results and lower bounds, we show 
that obfuscators (in the “virtual black box” sense) do not exist by supplying 
a somewhat contrived counterexample of a function ensemble that cannot be 
obfuscated. It is interesting whether obfuscation is possible for a restricted class 
of algorithms, which nonetheless contains some “useful” algorithms. If we try 
to restrict the algorithms by their computational complexity, then there’s not 
much hope for obfuscation. Indeed, as mentioned above, we show that (under 
widely believed complexity assumptions) our counterexample can be placed in 
TCq. In general, the complexity of our counterexample is essentially the same 
as the complexity of pseudorandom functions, and so a complexity class which 
does not contain our example will also not contain many cryptographically useful 
algorithms. 



1.4 Additional Related Work 

There are a number of heuristic approaches to obfuscation and software water- 
marking in the literature, as described in the survey of Collberg and Thombor- 
son KJTOOI . A theoretical study of software protection was previously conducted 
by Goldreich and Ostrovsky !goM] , who considered hardware-based solutions. 

Hada gave some definitions for code obfuscators which are stronger 

than the definitions we consider in this paper, and showed some implications 
of the existence of such obfuscators. (Our result rules out also the existence of 
obfuscators according to the definitions of 

Canetti, Goldreich and Halevi IGGHhSi showed another setting in cryptog- 
raphy where getting a function’s description is provably more powerful than 
black-box access. As mentioned above, they have shown that there exist proto- 
cols that are secure when executed with black-box access to a random function, 
but insecure when instead the parties are given a description of any hash func- 
tion. 



1.5 Organization of the Paper 

In Section Q we give some basic definitions along with (very weak) definitions 
of obfuscators. In Sectional we prove the impossibility of obfuscators by con- 
structing an inherently unobfuscatable function ens emble. Ot her extensions and 
results are deferred to the full version of the paper |RGI+fll] . 
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2 Definitions 

2.1 Preliminaries 

TM is shorthand for Turing machine. PPT is shorthand for probabilistic 
polynomial-time Turing machine. For algorithms A and M and a string x, we 
denote by (x) the output of A when executed on input x and oracle access to 
M . If A is a probabilistic Turing machine then by A(x; r) we refer to the result 
of running A on input x and random tape r. By A(x) we refer to the distribu- 
tion induced by choosing r uniformly and running A(x; r). If 11 is a distribution 
then by X A H we mean that x is a random variable distributed according to 
D. If S' is a set then by x A S we mean that x is a random variable that is 
distributed uniformly over the elements of S. Supp(H) denotes the support of 
distribution D, i.e. the set of points that have nonzero probability under D. A 
function /r : N — >■ N is called negligible if it grows slower than the inverse of 
any polynomial. That is, for any positive polynomial p(-) there exists iV G N 
such that fj,{n) < l/p{n) for any n > N. We’ll sometimes use neg(-) to denote 
an unspecified negligible function. We will identify Turing machines and circuits 
with their canonical representations as strings in {0, 1}*. 



2.2 Obfuscators 

In this section, we aim to formalize the notion of obfuscators based on the 
“virtual black box” property as described in the introduction. Recall that this 
property requires that “anything that an adversary can compute from an ob- 
fuscation 0{P) of a program P, it could also compute given just oracle access 
to P.” We shall define what it means for the adversary to successfully compute 
something in this setting, and there are several choices for this (in decreasing 
order of generality): 

— (computational indistinguishability) The most general choice is not to re- 
strict the nature of what the adversary is trying to compute, and merely 
require that it is possible, given just oracle access to P, to produce an out- 
put distribution that is computationally indistinguishable from what the 
adversary computes when given 0{P). 

— (satisfying a relation) An alternative is to consider the adversary as trying 
to produce an output that satisfies an arbitrary (possibly polynomial-time) 
relation with the original program P, and require that it is possible, given 
just oracle access to P, to succeed with roughly the same probability as the 
adversary does when given 0(P). 

— (computing a function) A weaker requirement is to restrict the previous 
requirement to relations which are functions; that is, the adversary is trying 
to compute some function of the original program. 

— (computing a predicate) The weakest is to restrict the previous requirement 
to {0, l}-valued functions; that is, the adversary is trying to decide some 
property of the original program. 
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Since we will be proving impossibility results, our results are strongest when 
we adopt the weakest requirement (i.e., the last one). This yields two defini- 
tions for obfuscators, one for programs defined by Turing machines and one for 
programs defined by circuits. 

Definition 2.1 (TM obfuscator). A probabilistic algorithm O is a TM ob- 
fuscator if the following three conditions hold: 

— (functionality) For every TM M , the string 0{M) describes a TM that com- 
putes the same function as M . 

— (polynomial slowdown) The description length and running time ofO{M) are 
at most polynomially larger than that of M. That is, there is a polynomial p 
such that for every TM M, \0{M)\ < p{\M\), and if M halts in t steps on 
some input x, then 0{M) halts within p{f) steps on x. 

— (“virtual black box” property) For any PPT A, there is a PPT S and a 
negligible function a such that for all TMs M 



Pr [A{0{M)) 



1] - Pr 






<a{\M\). 



We say that O is efficient if it runs in polynomial time. 



Definition 2.2 (circuit obfuscator). A probabilistic algorithm O is a (circuit) 
obfuscator if the following three conditions hold: 

— (functionality) For every circuit C, the string 0{C) describes a circuit that 
computes the same function as C . 

— (polynomial slowdown) There is a polynomial p such that for every circuit 
C, \0{C)\<p{\C\). 

— (“virtual black box” property) For any PPT A, there is a PPT S and a 
negligible function a such that for all circuits C 



Pr [A{0{C)) = 1] - Pr [s"^(ll'^l) = ll < adC]). 



We say that O is efficient if it runs in polynomial time. 

We call the first two requirements (functionality and polynomial slowdown) 
the syntactic requirements of obfuscation, as they do not address the issue of 
security at all. 

There are a couple of other natural formulations of the “virtual black box” 
property. The first, which more closely follows the informal discussion above, 
asks that for every predicate tt, the probability that A{0{C)) = n{C) is at most 
the probability that S""(ll‘"l) = Tr(C') plus a negligible term. It is easy to see 
that this requirement is equivalent to the ones above. Another formulation refers 
to the distinguishability between obfuscations of two TMs/circuits: ask that for 
every Ci and C 2 , \ Pr [A{0{Ci)) = 1] — Pr [A(0(C'2))] | is approximately equal 
to I Pr = 1] — Pr fl^^)] |. This definition appears to 

be slightly weaker than the ones above, but our impossibility proof also rules it 
out. 
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Note that in both definitions, we have chosen to simplify the definition by 
using the size of the TM/circuit to be obfuscated as a security parameter. One 
can always increase this length by padding to obtain higher security. 

The main difference between the circuit and TM obfuscators is that a circuit 
computes a function with finite domain (all the inputs of a particular length) 
while a TM computes a function with infinite domain. Note that if we had not 
restricted the size of the obfuscated circuit 0{C), then the (exponential size) 
list of all the values of the circuit would be a valid obfuscation (provided we 
allow S running time poly(|0(C)|) rather than poly(|(7|)). For Turing machines, 
it is not clear how to construct such an obfuscation, even if we are allowed an 
exponential slowdown. Hence obfuscating TMs is intuitively harder. Indeed, it 
is relatively easy to prove: 

Proposition 2.3. If a TM obfuscator exists, then a circuit obfuscator exists. 

Thus, when we prove our impossibility result for circuit obfuscators, the impos- 
sibility of TM obfuscators will follow. However, considering TM obfuscators will 
be useful as motivation for the proof. 

We note that, from the perspective of applications. Definitions 12 . II and 12. 21 
are already too weak to have the wide applicability discussed in the introduction. 
The point is that they are nevertheless impossible to satisfy (as we will prove). 



3 The Main Impossibility Result 

To state our main result we introduce the notion of inherently unobfuscatable 
function ensemble. 

Definition 3.1. An inherently unobfuscatable function ensemble is an ensem- 
ble {"HfelfegN of distributions TLk on finite functions (from, say, {0,1}**"^^^ to 
{0, J such that: 



— (efficiently computable) Every function /A'H/c is computable by a circuit of 
size poly(fc). (Moreover, a distribution on circuits consistent with Hk can be 
sampled uniformly in time poly(fc).^ 

— (unobfuscatability) There exists a function tt : UfeeN such 

that 

1. 7t(/) is hard to compute with black-box access to f : For any PPT S 

Pr [5’^(l'=) = 7t(/)] neg{k) 

2. 7t(/) is easy to compute with access to any circuit that computes f : There 
exists a PPT A such that for any f € UfeeN ^upp('Hfc) and for any circuit 
C that computes f 



A(C) = n{f) 
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We prove in Theorem [1.91 that. assuming one-way functions exist, there exists 
an inherently unobfuscatable function ensemble. This implies that, under the 
same assumption, there is no obfuscator that satisfies Definition 12.21 (actually 
we prove the latter fact directly in Theorem tl.til) . Since the existence of an 
efficient obfuscator implies the existence of one-way functions iTjemma, 1,'l. Y^l . we 
conclude that efficient obfuscators do not exist (unconditionally). 

However, the existence of inherently unobfuscatable function ensemble has 
even stronger implications. As mentioned in the introduction, these functions can 
not be obfuscated even if we allow the following relaxations to the obfuscator: 

1. As mentioned above, the obfuscator does not have to run in polynomial time 
— it can be any random process. 

2. The obfuscator has only to work for functions in Supp('Hfc) and only for a 
non-negligible fraction of these functions under the distributions Tik ■ 

3. The obfuscator has only to hide an a priori fixed property tt from an a priori 
fixed adversary A. 

Structure of the Proof of the Main Impossibility Result. We shall prove our 
result by first defining obfuscators that are secure also when applied to several 
(e.g., two) algorithms and proving that they do not exist. Then we shall modify 
the construction in this proof to prove that TM obfuscators in the sense of 
Definition rn\ do not exist. After that, using an additional construction (which 
requires one-way functions) , we will prove that a circuit obfuscator as defined in 
Definition l2.2l does not exist if one-way functions exist. We will then observe that 
our proof actually yields an unobfuscatable function ensemble f Theorem I.S.9y . 



3.1 Obfuscating Two TMs/Circuits 

Obfuscators as defined in the previous section provide a “virtual black box” 
property when a single program is obfuscated, but the definitions do not say 
anything about what happens when the adversary can inspect more than one 
obfuscated program. In this section, we will consider extensions of those defini- 
tions to obfuscating two programs, and prove that they are impossible to meet. 
The proofs will provide useful motivation for the impossibility of the original 
one-program definitions. 

Definition 3.2 (2-TM obfuscator). A 2-TM obfuscator is defined in the 
same way as a TM obfuscator, except that the “virtual black box” property is 
strengthened as follows: 

— (“virtual black box” property) For any PPT A, there is a PPT S and a 
negligible function a such that for all TMs M, N 



Pr [A{0{M),0{N)) = 1] -Pr r5'WJV(i|M|-Y|AT|^ ^ 



< o:(min{|M|, \N\}) 



2-circuit obfuscators are defined by modifying the definition of circuit obfus- 
cators in an analogous fashion. 

Proposition 3.3. Neither 2-TM nor 2-circuit obfuscators exist. 
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Proof. We begin by showing that 2-TM obfuscators do not exist. Suppose, for 
sake of contradiction, that there exists a 2-TM obfuscator O. The essence of 
this proof, and in fact of all the impossibility proofs in this paper, is that there 
is a fundamental difference between getting black-box access to a function and 
getting a program that computes it, no matter how obfuscated: A program is 
a succinct description of the function, on which one can perform computations 
(or run other programs). Of course, if the function is (exactly) learnable via 
oracle queries (i.e., one can acquire a program that computes the function by 
querying it at a few locations), then this difference disappears. Hence, to get 
our counterexample, we will use a function that cannot be exactly learned with 
oracle queries. A very simple example of such an unlearnable function follows. 
For strings a, /3 G {0, 1}^, define the Turing machine 



We assume that on input x, C^,/? runs in 10 • |a;| steps (the constant 10 is 
arbitrary). Now we will define a TM I?a,/3 that, given the code of a TM C, can 
distinguish between the case that C computes the same function as Ca^p from 
the case that C computes the same function as Ca',/3' for any (a',/3') ^ {a, (3). 



(Actually, this function is uncomputable. However, as we shall see below, we can 
use a modified version of that only considers the execution of C{a) for 

poly(fc) steps, and outputs 0 if C does not halt within that many steps, for some 
fixed polynomial poly(-). We will ignore this issue for now, and elaborate on it 
later.) Note that Ca,p and Da^p have description size 0{k). 

Consider an adversary A, which, given two (obfuscated) TMs as input, simply 
runs the second TM on the first one. That is, A(C, D) = D{C). (Actually, like we 
modified D^^p above, we also will modify A to only run D on C for poly(|C|, \D\) 
steps, and output 0 if H does not halt in that time.) Thus, for any a,P £ {0, 1}^, 



Observe that any poly(fc)-time algorithm S which has oracle access to Ca,p 
and Da^p has only exponentially small probability (for a random a and ff) of 
querying either oracle at a point where its value is nonzero. Hence, if we let 
be a Turing machine that always outputs 0^, then for every PPT S', 



where the probabilities are taken over a and (3 selected uniformly in {0, 1}* and 
the coin tosses of S. On the other hand, by the definition of A we have: 





Pr [A{0{C^^p),0{D^^p)) = l] = l 



( 1 ) 



Pr [sC-,/3.-D-./3(ife) = 1] _ Pr = l] | < (2) 



Pr [A{0{Zt),0{D^,p)) = 1] = 0 



( 3 ) 



The combination of Equations m, 0 , and (0 contradict the fact that O is a 
2-TM obfuscator. 
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In the above proof, we ignored the fact that we had to truncate the running 
times of A and Da 0- When doing so, we must make sure that Equations (OJ and 
(0 still hold. Equation Q involves executing (a) A{O{Da,0),O{Ca,i3)), which in 
turn amounts to executing (b) 0{Da^i3){0{Ca^f3))- By definition (b) has the same 
functionality as Da,/ 3 { 0 {Ca,/ 3 )), which in turn involves executing (c) 0 (Ca,/ 3 )(a). 
Yet the functionality requirement of the obfuscator definition assures us that (c) 
has the same functionality as Ca,f 3 {o:). By the polynomial slowdown property of 
obfuscators, execution (c) only takes poly(10 • k) = poly(/c) steps, which means 
that Da,i3{0{Ca,i3)) need only run for poly(fc) steps. Thus, again applying the 
polynomial slowdown property, execution (b) takes poly(fc) steps, which finally 
implies that A need only run for poly^) steps. The same reasoning holds for 
Equation m, using Zk instead of Ca,i3U Note that all the polynomials involved 
are fixed once we fix the polynomial p(-) of the polynomial slowdown property. 

The proof for the 2-circuit case is very similar to the 2-TM case, with a 
related, but slightly different subtlety. Suppose, for sake of contradiction, that 
O is a 2-circuit obfuscator. For fc G N and a,/3 G {0, 1}^, define Ca,f 3 and 
Da,f3 in the same way as above but as circuits rather than TMs, and define 
an adversary A by A{C,D) = D{C). (Note that the issues of A and Damp’s 
running times go away in this setting, since circuits can always be evaluated in 
time polynomial in their size.) The new subtlety here is that the definition of 
A as A{C,D) = D{C) only makes sense when the input length of D is larger 
than the size of C (note that one can always pad C to a larger size). Thus, for 
the analogues of Equations (P) and Q to hold, the input length of Da ,/3 must 
be larger than the sizes of the obfuscations of Ca,p and However, by the 
polynomial slowdown property of obfuscators, it suffices to let T*a ,/3 have input 
length poly(fc) and the proof works as before. 



3.2 Obfuscating One TM/Circuit 

Our approach to extending the two-program obfuscation impossibility results to 
the one-program definitions is to combine the two programs constructed above 
into one. This will work in a quite straightforward manner for TM obfuscators, 
but will require new ideas for circuit obfuscators. 

Combining functions and programs. For functions, TMs, or circuits fo, fi : X ^ 

Y, define their combination /o#/i : {0, 1} x Y — Y by {fo#fi){b,x) fb{x). 
Conversely, if we are given a TM (resp., circuit) C : {0, 1} x Y — >■ Y, we can 

def 

efficiently decompose C into C'o#C'i by setting Cb{x) = C{b,x); note that Co 
and Cl have size and running time essentially the same as that of C. Observe 
that having oracle access to a combined function fofffi is equivalent to having 
oracle access to /o and fi individually. 

® Another, even more minor subtlety that we ignored is that, strictly speaking, A only 
has running time polynomial in the description of the obfuscations of Ca,p, Da,g, 
and Zk, which could conceivably be shorter than the original TM descriptions. But 
a counting argument shows that for all but an exponentially small fraction of pairs 
(a, /3) £ {0, 1}*^ X {0, 1}*^, 0{Ca,/3) and 0{Da,i3) must have description size 17(fc). 



On the (Im)possibility of Obfuscating Programs 



13 



Theorem 3.4. TM obfuscators do not exist. 

Proof Sketch: Suppose, for sake of contradiction, that there exists a TM ob- 

fuscator O. For a,P € {0, 1}^, let Ca^/s, and Zk be the TMs defined in the 

proof of Proposition 13. 31 Combining these, we get the TMs 
and Get. (5 — ^k4^Ga^p. 

We consider an adversary A analogous to the one in the proof of Proposi- 
tion augmented to first decompose the program it is fed. That is, on input 
a TM F, algorithm A first decomposes F into Fq^Fi and then outputs Fi(Fo)- 
(As in the proof of Proposition 13.31 A actually should be modified to run in time 
poly(|F|).) Let S be the PPT simulator for A guaranteed by Definition Just 
as in the proof of Proposition ESI we have: 

Pr [A{0{Fe,,fs)) = 1] = 1 and Pr [A(0(G„,^)) = 1] = 0 
|Pr = 1] - Pr = 1] I < 

where the probabilities are taken over uniformly selected a,/3 G {0, 1}*, and the 
coin tosses of A, S, and O. This contradicts Definition tz. 1 1 □ 

There is a difficulty in trying to carry out the above argument in the circuit 
setting. (This difficulty is related to (but more serious than) the same subtlety 
regarding the circuit setting discussed earlier.) In the above proof, the adversary 
A, on input 0(F„_,g), attempts to evaluate Fi(Fq), where Fq^Fi = 0{Fa^jj) = 
In order for this to make sense in the circuit setting, the size 
of the circuit Fq must be at most the input length of Fi (which is the same as 
the input length of Da./s). But, since the output Fq^Fi of the obfuscator can 
be polynomially larger than its input Ca.pifDct.fs, we have no such guarantee. 
Furthermore, note that if we compute Fq, F\ in the way we described above (i.e., 

Ff,(x) 0{Fa^ij){b,x)) then we’ll have |Fol = |J^i| and so Fq will necessarily be 
larger than F’l’s input length. 

To get around this, we modify in a way that will allow A, when given 
Da.p and a circuit C, to test whether C{a) = (3 even when C is larger than the 
input length of Of course, oracle access to Da.p should not reveal a and 

/3, because we do not want the simulator S to be able to test whether C{a) = [3 
given just oracle access to C and D^^p. We will construct such functions Da.p 
based on pseudorandom functions p001VI8b| . 

Lemma 3.5. If one-way functions exist, then for every k G N and a, [3 G 
{0,1}^, there is a distribution F^.p on circuits such that: 

1. Every D G Supp(Va.p) is a circuit of size poly(fc). 

2. There is a polynomial-time algorithm A such that for any circuit C , and any 
D G SuppiVet.p), A^{C, l'^) = 1 iffC{a) = (3. 

3. For any PPT S, Pr [5'^(l'= ) = a] = neg(fc), where the probability is taken 

over a,f3 {0, 1}^, D A Va.p, and the coin tosses of S. 

Proof. Basically, the construction implements a private-key “homomorphic en- 
cryption” scheme. More precisely, the functions in Fa.p will consist of three 
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parts. The first part gives out an encryption of the bits of a (under some private- 
key encryption scheme) . The second part provides the ability to perform binary 
Boolean operations on encrypted bits, and the third part tests whether a se- 
quence of encryptions consists of encryptions of the bits of j3. These operations 
will enable one to efficiently test whether a given circuit C satisfies C(a) = /3, 
while keeping a and f3 hidden when only oracle access to C and T^a ,/3 is provided. 

We begin with any one-bit (probabilistic) private-key encryption scheme 
(EnCjDec) that satisfies indistinguishability under chosen plaintext and non- 
adaptive chosen ciphertext attacks. Informally, this means that an encryption 
of 0 should be indistinguishable from an encryption of 1 even for adversaries 
that have access to encryption and decryption oracles prior to receiving the 
challenge ciphertext, and access to just an encryption oracle after receiving the 
challenge ciphertext. (See [K YOOj for formal definitions.) We note that such 
encryptions schemes exist if one-way functions exist; indeed, the “standard” en- 
cryption scheme EnCic(6) = (r, /ic(r) © b), where r A {0,1}I^I and fx is a 
pseudorandom function, has this property. 

Now we consider a “homomorphic encryption” algorithm Horn, which takes 
as input a private-key K and two ciphertexts c and d (w.r.t. this key K), and 
a binary boolean operation © (specified by its 2 x 2 truth table) . We define 

Hom/f (c, d, ©) Encic (Dec ic(c) © DecK{d)). 

It can be shown that such an encryption scheme retains its security even if the 
adversary is given access to a Horn oracle. This is formalized in the following 
claim: 

Claim. For every PPT A, 

|Pr [A^°“«’®“^(EncK(0)) = l] - Pr (Encx(l)) = l] | < neg(fc). 

Proof of claim: Suppose there were a PPT A violating the claim. 

First, we argue that we can replace the responses to all of A’S Hom^f- 
oracle queries with encryptions of 0 with only a negligible effect on A’s 
distinguishing gap. This follows from indistinguishability under chosen 
plaintext and ciphertext attacks and a hybrid argument: Consider hy- 
brids where the first i oracle queries are answered according to Hom^f 
and the rest with encryptions of 0. Any advantage in distinguishing two 
adjacent hybrids must be due to distinguishing an encryption of 1 from 
an encryption of 0. The resulting distinguisher can be implemented using 
oracle access to encryption and decryption oracles prior to receiving the 
challenge ciphertext (and an encryption oracle afterwards). 

Once we have replaced the Hom^-oracle responses with encryptions 
of 0, we have an adversary that can distinguish an encryption of 0 from 
an encryption of 1 when given access to just an encryption oracle. This 
contradicts indistinguishability under chosen plaintext attack. □ 

Now we return to the construction of our circuit family For a key K, 

let Ex.a be an algorithm which, on input i outputs EnCi^(ai), where ai is the 
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i’th bit of a. Let be an algorithm which when fed a A:-tuple of ciphertexts 

(ci, . . . , Cfe) outputs 1 if for all i, Decxici) = Pi, where /3i, . . . ,Pk are the bits 
of p. A random circuit from iDa ,/3 will essentially be the algorithm 

Dk,u,I 3 EK,a#^OU\K#BK,f3 

(for a uniformly selected key K). One minor complication is that Dx,a ,0 is 
actually a probabilistic algorithm, since Ex, a and Hom^ employ probabilistic 
encryption, whereas the lemma requires deterministic functions. This can be 
solved in the usual way, by using pseudorandom functions. Let q = q{k) be the 
input length of Dx,a ,(3 and m = m(fc) the maximum number of random bits 
used by Dx,a,j 3 on any input. We can select a pseudorandom function fx' '■ 
{0, 1}"? — >■ {0, 1}"*, and let be the (determinstic) algorithm, which on 

input X S {0, 1}'^ evaluates Dx,a,j 3 {x) using randomness fx>{x). 

Define the distribution T’a,/? to be uniformly selected keys K 

and K'. We argue that this distribution has the properties stated in the lemma. 
By construction, each D'^ ^ ^ is computable by circuit of size poly(fc), so 
Property n is satisfied. 

For Propertyl3 consider an algorithm A that on input C and oracle access to 
D'k a p X' (which, as usual, we can view as access to (deterministic versions of) 
the three separate oracles Ex, a, Hom;y, and Bx,a), proceeds as follows: First, 
with k oracle queries to the Ex, a oracle, A obtains encryptions of each of the 
bits of a. Then, A uses the Homiy oracle to do a gate-by-gate emulation of the 
computation of C (a) , in which A obtains encryptions of the values at each gate 
of C. In particular, A obtains encryptions of the values at each output gate of C 
(on input a). It then feeds these output encryptions to Dx,p, and outputs the 
response to this oracle query. By construction, A outputs 1 iff C{a) = p. 

Finally, we verify Property El Let S be any PPT algorithm. We must show 
that S has only a negligible probability of outputting a when given oracle access 
a p K' (over the choice of K, a, P, K' , and the coin tosses of S). By the 
pseudorandomness of fx ' , we can replace oracle access to the function D'j^ a p k' 
with oracle access to the probabilistic algorithm Dx,a,p with only a negligible 
effect on S”s success probability. Oracle access to Dx,a,p is equivalent to oracle 
access to Ex, a, Hom/f, and Bx,/ 3 - Since P is independent of a and K, the 
probability that S queries Bx,p at a point where its value is nonzero (i.e., at a 
sequence of encryptions of the bits of /3) is exponentially small, so we can remove 
S”s queries to Bx,p with only a negligible effect on the success probability. Oracle 
access to Ex,a is equivalent to giving S polynomially many encryptions of each of 
the bits of a. Thus, we must argue that S cannot compute a with nonnegligible 
probability from these encryptions and oracle access to Homx . This follows from 
the fact that the encryption scheme remains secure in the presence of a Hom^ 
oracle (Claim ^2) and a hybrid argument. I 



Theorem 3.6. If one-way functions exist, then circuit obfuscators do not exist. 

Proof. Suppose, for sake of contradiction, that there exists a circuit obfuscator 
O. For k gN and a,P G {0,1}^, let Zk and Ca.p be the circuits defined in the 
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proof of Proposition El and let be the distribution on circuits given by 

Lemma lEl Per each fc G N, consider the following two distributions on circuits 
of size poly(fc): 

Tk- Choose a and /3 uniformly in {0, 1}^, D A Output Ca,/ 3 #D. 

Gk- Choose a and /3 uniformly in {0, 1}^, D A Pa,/ 3 - Output Zk^D. 

Let A be the PPT algorithm guaranteed by Property |3 in Lemma I.S.5L and 
consider a PPT A' which, on input a circuit F, decomposes F = Fq^Fi and 
evaluates (_Fo; l^)j where k is the input length of Fq. Thus, when fed a circuit 
from 0{Fk) (resp., 0{Gk)), A.' is evaluating A^{CA^) where D computes the 
same function as some circuit from T’a,/? and C computes the same function as 
Ca,p (resp., Zk). Therefore, by Property El in Lemma ^31 we have: 

Pr [A\0{Fk)) = 1] = 1 Pr [A'{0{Gk)) = 1] = 0. 

We now argue that for any PPT algorithm S 

|Pr = 1] - Pr = 1 ] I < 

which will contradict the definition of circuit obfuscators. Having oracle access 
to a circuit from Fk (respectively, Gk) is equivalent to having oracle access to 
C'a./3 (resp., Zk) and D A where a,j3 are selected uniformly in {0,1}*. 

Property 0 of Lemma 111. hi implies that the probability that S queries the first 
oracle at a is negligible, and hence S cannot distinguish that oracle being 
from it being Zk- H 

We can remove the assumption that one-way functions exist for ejficient 
circuit obfuscators via the following (easy) lemma (proven in the full version of 
the paper). 

Lemma 3.7. If efficient obfuscators exist, then one-way functions exist. 

Corollary 3.8. Efficient circuit obfuscators do not exist (unconditionally). 

As stated above, our impossibility proof can be cast in terms of “inherently 
unbfuscatable functions” : 

Theorem 3.9 (inherently unobfuscatable functions). If one-way func- 
tions exist, then there exists an inherently unobfuscatable function ensemble. 

Proof. Let Tk and Gk be the distributions on functions in the proof of The- 
orem 13. 61 and let Ilk be the distribution that, with probability 1/2 outputs a 
sample of Tk and with probability 1/2 outputs a sample of Gk- We claim that 
{’Hfej/cGN is an inherently unobfuscatable function ensemble. 

The fact that {’HfejfcGN is efficiently computable is obvious. We define 7r(/) 
to be 1 if / G Ufe SuPP(-^fe) 3'’^^ 0 otherwise (note that (IJ,;. Supp(.7^fe)) fl 
(Ufc Supp(t/fc)) = 0 and so 7 t(/) = 0 for any / G Ufc Supp(t/fe)). The algo- 
rithm A! given in the proof of Theorem 13.61 shows that 7r(/) can be computed 
in polynomial time from any circuit computing / G Supp(T^fe). Because oracle 
access to Tk cannot be distinguished from oracle access to Gk (as shown in the 
proof of Theorem E3), it follows that 7t(/) cannot be computed from an oracle 
for / A PLk with probability noticeably greater than 1/2. I 
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Abstract. We propose a new security measure for commitment pro- 
tocols, called Universally Composable (UC) Commitment. The measure 
guarantees that commitment protocols behave like an “ideal commitment 
service,” even when concurrently composed with an arbitrary set of pro- 
tocols. This is a strong guarantee: it implies that security is maintained 
even when an unbounded number of copies of the scheme are running 
concurrently, it implies non-malleability (not only with respect to other 
copies of the same protocol but even with respect to other protocols), it 
provides resilience to selective decommitment, and more. 

Unfortunately, two-party uc commitment protocols do not exist in 
the plain model. However, we construct two-party UC commitment 
protocols, based on general complexity assumptions, in the common 
reference string model where all parties have access to a common 
string taken from a predetermined distribution. The protocols are 
non-interactive, in the sense that both the commitment and the open- 
ing phases consist of a single message from the committer to the receiver. 

Keywords: Commitment schemes, concurrent composition, non- 

malleability, security analysis of protocols. 



1 Introduction 

Commitment is one of the most basic and useful cryptographic primitives. It is 
an essential building block in Zero-Knowledge protocols (e.g., [gmw91,bcc88, 
d89]), in general function evaluation protocols (e.g., [gmw87,GHy88,g98]), in 
contract-signing and electronic commerce, and more. Indeed, commitment pro- 
tocols have been studied extensively in the past two decades (e.g., [n91,ddn00, 
novy92,b99,dio98,ff00,dkos01]). 

The basic idea behind the notion of commitment is attractively simple: A 
committer provides a receiver with the digital equivalent of a “sealed envelope” 
containing a value x. From this point on, the committer cannot change the value 
inside the envelope, and, as long as the committer does not assist the receiver 
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in opening the envelope, the receiver learns nothing about x. When both parties 
cooperate, the value x is retrieved in full. 

Formalizing this intuitive idea is, however, non-trivial. Traditionally, two 
quite distinct basic flavors of commitment are formalized: unconditionally bind- 
ing and unconditionally secret commitment protocols (see, e.g., [g95]). These 
basic definitions are indeed sufficient for some applications (see there) . But they 
treat commitment as a “stand alone” task and do not in general guarantee se- 
curity when a commitment protocol is used as a building-block within other 
protocols, or when multiple copies of a commitment protocol are carried out 
together. A good first example for the limitations of the basic definitions is the 
selective decommitment problem [dnrs99], that demonstrates our inability to 
prove some very minimal composition properties of the basic definitions. 

Indeed, the basic definitions turned out to be inadequate in some scenarios, 
and stronger variants that allow to securely “compose” commitment protocols 
— both with the calling protocol and with other invocations of the commitment 
protocol — were proposed and successfully used in some specific contexts. One 
such family of variants make sure that knowledge of certain trapdoor informa- 
tion allows “opening” commitments in more than a single way. These include 
chameleon commitments [bcc88], trapdoor commitments [fs90] and equivoca- 
hle commitments [b99]. Another strong variant is non-malleable commitments 
[ddnOO], where it is guaranteed that a dishonest party that receives an unopened 
commitment to some value x will be unable to commit to a value that depends 
on X in any way, except for generating another commitment to x. (A more re- 
laxed variant of the [ddnOO] notion of non-malleability is non-malleability with 
respect to opening [dio98,ff00,dkos01].) 

These stronger measures of security for commitment protocols are indeed very 
useful. However they only solve specific problems and stop short of guaranteeing 
that commitment protocols maintain the expected behavior in general crypto- 
graphic contexts, or in other words when composed with arbitrary protocols. To 
exemplify this point, notice for instance that, although [ddnOO] remark on more 
general notions of non-malleability, the standard notion of non-malleability con- 
siders only other copies of the same protocol. There is no guarantee that a mali- 
cious receiver is unable to “maul” a given commitment by using a totally different 
commitment protocol. And it is indeed easy to come up with two commitment 
protocols C and C such that both are non-malleable with respect to themselves, 
but an adversary that plays a receiver in C can generate a C'-commitment to a 
related value. 

This work proposes a measure of security for commitment protocols that 
guarantees the “envelope-like” intuitive properties of commitment even when 
the commitment protocol is concurrently composed with an arbitrary set of pro- 
tocols. In particular, protocols that satisfy this measure (called universally com- 
posable (uc) commitment protocols) remain secure even when an unbounded 
number of copies of the protocol are executed concurrently in an adversarially 
controlled way; they are resilient to selective decommitment attacks; they are 
non-malleable both with respect to other copies of the same protocol and with re- 
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spect to arbitrary commitment protocols. In general, a UC commitment protocol 
successfully emulates an “ideal commitment service” for any application proto- 
col (be it a Zero-Knowledge protocol, a general function evaluation protocol, an 
e-commerce application, or any combination of the above). 

This measure of security for commitment protocols is very strong indeed. 
It is perhaps not surprising then that UC commitment protocols which involve 
only the committer and the receiver do not exist in the standard “plain model” 
of computation where no set-up assumptions are provided. (We formally prove 
this fact.) However, in the common reference string (CRS) model things look 
better. (The CRS model is a generalization of the common random string model. 
Here all parties have access to a common string that was chosen according to 
some predefined distribution. Other equivalent terms include the reference string 
model [dOO] and the public parameter model [ffOO].) In this model we construct 
UC commitment protocols based on standard complexity assumptions. A first 
construction, based on any family of trapdoor permutations, requires the length 
of the reference string to be linear in the number of invocations of the protocol 
throughout the lifetime of the system. A second protocol, based on any claw-free 
pair of trapdoor permutations, uses a short reference string for an unbounded 
number of invocations. The protocols are non-interactive, in the sense that both 
the commitment and the decommitment phases consist of a single message from 
the committer to the receiver. We also note that UC commitment protocols can 
be constructed in the plain model, if the committer and receiver are assisted by 
third parties (or, “servers”) that participate in the protocol without having local 
inputs and outputs, under the assumption that a majority of the servers remain 
uncorrupted. 



1.1 On the New Measure 

Providing meaningful security guarantees under composition with arbitrary pro- 
tocols requires using an appropriate framework for representing and arguing 
about such protocols. Our treatment is based in a recently proposed such gen- 
eral framework [cOOa] . This framework builds on known definitions for function 
evaluation and general tasks [gl90,mr91,b91,pw94,c00,dm00,pw01], and al- 
lows defining the security properties of practically any cryptographic task. Most 
importantly, in this framework security of protocols is maintained under general 
concurrent composition with an unbounded number of copies of arbitrary proto- 
cols. We briefly summarize the relevant properties of this framework. See more 
details in Section 2.1 and in [cOOa]. 

As in prior general definitions, the security requirements of a given task (i.e., 
the functionality expected from a protocol that carries out the task) are captured 
via a set of instructions for a “trusted party” that obtains the inputs of the 
participants and provides them with the desired outputs. However, as opposed 
to the standard case of secure function evaluation, here the trusted party (which 
is also called the ideal functionality) runs an arbitrary algorithm and in particular 
may interact with the parties in several iterations, while maintaining state in 
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between. Informally, a protocol securely carries out a given task if running the 
protocol amounts to “emulating” an ideal process where the parties hand their 
inputs to the appropriate ideal functionality and obtain their outputs from it, 
without any other interaction. 

In order to allow proving the concurrent composition theorem, the notion of 
emulation in [cOOa] is considerably stronger than previous ones. Traditionally, 
the model of computation includes the parties running the protocol and an ad- 
versary, A, and “emulating an ideal process” means that for any adversary A 
there should exist an “ideal process adversary” (or, simulator) S that results in 
similar distribution on the outputs for the parties. Here an additional adversar- 
ial entity, called the environment Z, is introduced. The environment generates 
the inputs to all parties, reads all outputs, and in addition interacts with the 
adversary in an arbitrary way throughout the computation. A protocol is said to 
securely realize a given ideal functionality T if for any adversary A there exists an 
“ideal-process adversary” 5, such that no environment Z can tell whether it is 
interacting with A and parties running the protocol, or with S and parties that 
interact with T in the ideal process. (In a sense, here Z serves as an “interactive 
distinguisher” between a run of the protocol and the ideal process with access 
to T . See [cOOa] for more motivating discussion on the role of the environment.) 
Note that the definition requires the “ideal-process adversary” (or, simulator) 
S to interact with Z throughout the computation. Furthermore, Z cannot be 
“rewound” . 

The following universal composition theorem is proven in [cOOa]. Consider 
a protocol tt that operates in a hybrid model of computation where parties can 
communicate as usual, and in addition have ideal access to (an unbounded num- 
ber of copies of) some ideal functionality if. Let p be a protocol that securely 
realizes T as sketched above, and let be the “composed protocol”. That is, 
7T^ is identical to tt with the exception that each interaction with some copy of 
T is replaced with a call to (or an invocation of) an appropriate instance of p. 
Similarly, p-outputs are treated as values provided by the appropriate copy of T . 
Then, tt and tt'’ have essentially the same input/output behavior. In particular, 
if 7T securely realizes some ideal functionality Q given ideal access to T then -k^ 
securely realizes Q from scratch. 

To apply this general framework to the case of commitment protocols, we 
formulate an ideal functionality Team that captures the expected behavior of 
commitment. Universally Composable (uc) commitment protocols are defined to 
be those that securely realize Tcom- Our formulation of Team is a straightforward 
transcription of the “envelope paradigm”: Tcom first waits to receive a request 
from some party C to commit to value x for party R. (C and R are identities 
of two parties in a multiparty network). When receiving such a request, Tcom 
records the value x and notifies R that C has committed to some value for him. 
When C later sends a request to open the commitment, Tcom sends the recorded 
value X to i?, and halts. (Some other variants of Tcom are discussed within.) 
The general composition theorem now implies that running (multiple copies of) 
a UC commitment protocol tt is essentially equivalent to interacting with the 
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same number of copies of Tcomi regardless of what the calling protocol does. In 
particular, the calling protocol may run other commitment protocols and may 
use the committed values in any way. As mentioned above, this implies a strong 
version of non-malleability, security under concurrent composition, resilience to 
selective decommitment, and more. 

The definition of security and composition theorem carry naturally to the CRS 
model as well. However, this model hides a caveat: The composition operation 
requires that each copy of the UC commitment protocol will have its own copy 
of the CRS. Thus, a protocol that securely realizes Team as described above 
is highly wasteful of the reference string. In order to capture protocols where 
multiple commitments may use the same reference string we formulate a natural 
extension of Team that handles multiple commitment requests. Let Tmcom denote 
this extension. 

We remark that UC commitment protocols need not, by definition, be neither 
unconditionally secret nor unconditionally binding. Indeed, one of the construc- 
tions presented here has neither property. 



1.2 On the Constructions 

At a closer look, the requirements from a UC commitment protocol boil down 
to the following two requirements from the ideal-process adversary (simulator) 
S. (a,). When the committer is corrupted (i.e., controlled by the adversary), S 
must be able to “extract” the committed value from the commitment. (That 
is, S has to come up with a value x such that the committer will almost never 
be able to successfully decommit to any x' yf x.) This is so since in the ideal 
process S has to explicitly provide Team with a committed value, (h). When 
the committer is uncorrupted, S has to be able to generate a kosher-looking 
“simulated commitment” c that can be “opened” to any value (which will become 
known only later). This is so since S has to provide adversary A and environment 
Z with the simulated commitment c before the value committed to is known. 
All this needs to be done without rewinding the environment Z. (Note that non- 
malleability is not explicitly required in this description. It is, however, implied 
by the above requirements.) 

From the above description it may look plausible that no simulator S exists 
that meets the above requirements in the plain model. Indeed, we formalize and 
prove this statement for the case of protocols that involve only a committer and 
a receiver. (In the case where the committer and the receiver are assisted by 
third parties, a majority of which is guaranteed to remain uncorrupted, stan- 
dard techniques for multiparty computation are sufficient for constructing uc 
commitment protocols. See [cOOa] for more details.) 

In the CRS model the simulator is “saved” by the ability to choose the ref- 
erence string and plant trapdoors in it. Here we present two UC commitment 
protocols. The first one (that securely realizes functionality Team) is based on 
the equivocable commitment protocols of [dio98], while allowing the simulator 
to have trapdoor information that enables it to extract the values committed 
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to by corrupted parties. However, the equivocability property holds only with 
respect to a single usage of the CRS. Thus this protocol fails to securely realize 
the multiple commitment functionality Tmcom- 

In the second protocol (that securely realizes Tmcom), the reference string 
contains a description of a claw-free pair of trapdoor permutations and a public 
encryption key of an encryption scheme that is secure against adaptive chosen ci- 
phertext attacks (CCA) (as in, say, [ddn00,rs91,bdpr98,cs98]). Commitments 
are generated via standard use of a claw-free pair, combined with encrypting po- 
tential decommitments. The idea to use CCA-secure encryption in this context 
is taken from [l00,dkos01]. 

Both protocols implement commitment to a single bit. Commitment to ar- 
bitrary strings is achieved by composing together several instances of the basic 
protocol. Finding more efficient UC commitment protocols for string commitment 
is an interesting open problem. 

Applicability of the notion. In addition to being an interesting goal in 
their own right, UC commitment protocols can potentially be very useful in 
constructing more complex protocols with strong security and composability 
properties. To demonstrate the applicability of the new notion, we show how uc 
commitment protocols can be used in a simple way to construct strong Zero- 
Knowledge protocols without any additional cryptographic assumptions. 
Related work. Pfitzmann et. al. [pw94,pw01] present another definitional 
framework that allows capturing the security requirements of general reactive 
tasks, and prove a concurrent composition theorem with respect to their frame- 
work. Potentially, our work could be cast in their framework as well; however, 
the composition theorem provided there is considerably weaker than the one in 
[cOOa]. 

Organization. Section 2 shortly reviews the general framework of [cOOa] 
and presents the ideal commitment functionalities iFcom and Tracom- Section 
3 presents and proves security of the protocols that securely realize Tcom and 
J^mcom- Section 4 demonstrates that functionalities Tcom and Tmcom cannot be 
realized in the plain model by a two-party protocol. Section 5 presents the appli- 
cation to constructing Zero-Knowledge protocols. For lack of space most proofs 
are omitted. They appear in [cfOI]. 

2 Definitions 

Section 2.1 shortly summarizes the relevant parts of the general framework of 
[cOOa], including the definition of security and the composition theorem. Section 
2.2 defines the ideal commitment functionalities, Tcom and Tmcom- 

2.1 The General Framework 

Protocol syntax. Following [GMRa89,c95], protocols are represented as a set 
of interactive Turing machines (ITMs). Specifically, the input and output tapes 
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model inputs and outputs that are received from and given to other programs 
running on the same machine, and the communication tapes model messages 
sent to and received from the network. Adversarial entities are also modeled as 
ITMs; we concentrate on a non-uniform complexity model where the adversaries 
have an arbitrary additional input, or an “advice” . 

The adversarial model. [cOOa] discusses several models of computation. We 
concentrate on one main model, aimed at representing current realistic communi- 
cation networks (such as the Internet). Specifically, the network is asynchronous 
without guaranteed delivery of messages. The communication is public (i.e., all 
messages can be seen by the adversary) but ideally authenticated (i.e., messages 
cannot be modified by the adversary). In addition, parties have unique identi- 
ties} The adversary is adaptive in corrupting parties, and is active (or, Byzan- 
tine) in its control over corrupted parties. Finally, the adversary and environment 
are restricted to probabilistic polynomial time (or, “feasible”) computation. 
Protocol execution in the real-life model. We sketch the “mechanics” of 
executing a given protocol tt (run by parties Pi,...,P„) with some adversary 
A and an environment machine Z with input z. All parties have a security pa- 
rameter fc G N and are polynomial in k. The execution consists of a sequence 
of activations, where in each activation a single participant (either Z, A, or 
some Pi) is activated. The activated participant reads information from its in- 
put and incoming communication tapes, executes its code, and possibly writes 
information on its outgoing communication tapes and output tapes. In addi- 
tion, the environment can write information on the input tapes of the parties, 
and read their output tapes. The adversary can read messages off the outgoing 
message tapes of the parties and deliver them by copying them to the incoming 
message tapes of the recipient parties. The adversary can also corrupt parties, 
with the usual consequences that it learns the internal information known to the 
corrupted party and that from now on it controls that party. 

The environment is activated first; once activated, it may choose to acti- 
vate either one of the parties (with some input value) or to activate the adver- 
sary. Whenever the adversary delivers a message to some party P, this party 
is activated next. Once P’s activation is complete, the environment is acti- 
vated. Throughout, the environment and the adversary may exchange infor- 
mation freely using their input and output tapes. The output of the protocol 
execution is the output of Z. (Without loss of generality Z outputs a single bit.) 

Let b.eaLtt ^ A, z{k, z, r) denote the output of environment Z when interacting 
with adversary A and parties running protocol tt on security parameter k, input 
2 and random input r = r^, r_4, ri . . . r„ as described above (z and for Z, 
r_4 for A; for party Pi). Let KEAhT^^A,z{k, z) denote the random variable 

^ Indeed, the communication in realistic networks is typically unauthenticated, in the 
sense that messages may be adversarially modified en-route. In addition, there is no 
guarantee that identities will be unique. Nonetheless, since authentication and the 
guarantee of unique identities can be added independently of the rest of the protocol, 
we allow ourselves to assume ideally authenticated channels and unique identities. 
See [cOOa] for further discussion. 
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describing REAL^ -Zj when r is uniformly chosen. Let REAL^ 2 : denote 

the ensemble {REAW,^,2:(fc, 2:)}fc6N.^G{o.l}•• 

The ideal process. Security of protocols is defined via comparing the protocol 
execution in the real-life model to an ideal process for carrying out the task 
at hand. A key ingredient in the ideal process is the ideal functionality that 
captures the desired functionality, or the specification, of that task. The ideal 
functionality is modeled as another ITM that interacts with the environment and 
the adversary via a process described below. More specifically, the ideal process 
involves an ideal functionality iF, an ideal process adversary S, an environment Z 
on input z and a set of dummy parties Pi, ..., P„. The dummy parties are fixed and 
simple ITMS: Whenever a dummy party is activated with input x, it forwards 
X to P, say by copying x to its outgoing communication tape; whenever it is 
activated with incoming message from P it copies this message to its output. P 
receives information from the (dummy) parties by reading it off their outgoing 
communication tapes. It hands information back to the parties by sending this 
information to them. The ideal-process adversary S proceeds as in the real-life 
model, except that it has no access to the contents of the messages sent between 
P and the parties. In particular, S is responsible for delivering messages, and it 
can corrupt dummy parties, learn the information they know, and control their 
future activities. 

The order of events in the ideal process is as follows. As in the real-life model, 
the environment is activated first. As there, parties are activated when they re- 
ceive new information (here this information comes either from the environment 
or from P). In addition, whenever a dummy party P sends information to P, 
then P is activated. Once P completes its activation, P is activated again. Also, 
P may exchange messages directly with the adversary. It is stressed that in the 
ideal process there is no communication among the parties. The only “commu- 
nication” is in fact idealized transfer of information between the parties and the 
ideal functionality. The output of the ideal process is the (one bit) output of Z. 

Let iDEALy^^s, z{k, z,r) denote the output of environment Z after interact- 
ing in the ideal process with adversary S and ideal functionality P, on security 
parameter k, input z, and random input r = rz,rs,ry^ as described above (z 
and rz for Z, rg for S; rj: for P). Let iT>EAhj^ s z{k, z) denote the random vari- 
able describing iDEALj^^s,z{k, z,r) when r is uniformly chosen. Let iDEALjr,^,^: 
denote the ensemble {idealjt, 5 , 2 (A:, z)}fcgN,zG{o,i}* • 

Securely realizing an ideal functionality. We say that a protocol p securely 
realizes an ideal functionality P if for any real-life adversary A there exists an 
ideal-process adversary S such that no environment Z, on any input, can tell with 
non-negligible probability whether it is interacting with A and parties running p 
in the real-life process, or it is interaction with A and P in the ideal process. This 
means that, from the point of view of the environment, running protocol p is 
‘just as good’ as interacting with an ideal process for P. (In a way, Z serves as an 
“interactive distinguisher” between the two processes. Here it is important that 
Z can provide the process in question with adaptively chosen inputs throughout 
the computation.) 
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Definition 1. iei = {X(/c, a)}fcgN.ae{o.i}* andy = {Y{k,a)}ke^^ae{o,i}- be 
two distribution ensembles over {0, 1}. We say that X and y are indistinguishable 
{written X ks y) if for any c G N there exists fco G N such that |Pr(X(A:,a) = 
1) — Pr(y (fc, a) = 1)1 < for all k > kg and all a. 

Definition 2 ([cOOa]). Let n G N. Let T be an ideal functionality and let it 
be an n-party protocol. We say that tt securely realizes T if for any adversary A 
there exists an ideal-process adversary S such that for any environment Z we 
have IDEALyr 5 2 : ~ 

The common reference string (CRS) model. In this model it is assumed 
that all the participants have access to a common string that is drawn from 
some specified distribution. (This string is chosen ahead of time and is made 
available before any interaction starts.) It is stressed that the security of the 
protocol depends on the fact that the reference string is generated using a pre- 
specified randomized procedure, and no “trapdoor information” related to the 
string exists in the system. This in turn implies full trust in the entity that 
generates the reference string. More precisely, the CRS model is formalized as 
follows. 

— The real-life model of computation is modified so that all participants have 
access to a common string that is chosen in advance according to some 
distribution (specified by the protocol run by the parties) and is written in 
a special location on the input tape of each party. 

— The ideal process is modified as follows. In a preliminary step, the ideal- 
model adversary chooses a string in some arbitrary way and writes this 
string on the input tape of the environment machine. After this initial step 
the computation proceeds as before. It is stressed that the ideal functionality 
has no access to the reference string. 

Justification of the CRS model. Allowing the ideal-process adversary (i.e., 
the simulator) to choose the reference string is justified by the fact that the 
behavior of the ideal functionality does not depend on the reference string. This 
means that the security guarantees provided by the ideal process hold regardless 
of how the reference string is chosen and whether trapdoor information regarding 
this string is known. 

On the composition theorem: The hybrid model. In order to state the 
composition theorem, and in particular in order to formalize the notion of a real- 
life protocol with access to an ideal functionality, the hybrid model of computa- 
tion with access to an ideal functionality T (or, in short, the .7^-hybrid model) 
is formulated. This model is identical to the real-life model, with the following 
exceptions. In addition to sending messages to each other, the parties may send 
messages to and receive messages from an unbounded number of copies of T . 
Each copy of T is identified via a unique session identifier (SID); all messages 
addressed to this copy and all message sent by this copy carry the corresponding 
SID. (The SIDs are chosen by the protocol run by the parties.) 
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The communication between the parties and each one of the copies of T 
mimics the ideal process. That is, once a party sends a message to some copy 
of T , that copy is immediately activated and reads that message off the party’s 
tape. Furthermore, although the adversary in the hybrid model is responsible 
for delivering the messages from the copies of T to the parties, it does not have 
access to the contents of these messages. 

Replacing a call to T with a protocol invocation. Let tt be a protocol 
in the .7^-hybrid model, and let p be a protocol that securely realizes T (with 
respect to some class of adversaries). The composed protocol tt'’ is constructed 
by modifying the code of each ITM in tt so that the first message sent to each 
copy of T is replaced with an invocation of a new copy of tt with fresh random 
input, and with the contents of that message as input. Each subsequent message 
to that copy of T is replaced with an activation of the corresponding copy of p, 
with the contents of that message given to p as new input. Each output value 
generated by a copy of p is treated as a message received from the corresponding 
copy of T . 

Theorem statement. In its general form, the composition theorem basically 
says that if p securely realizes T then an execution of the composed protocol 
“emulates” an execution of protocol tt in the .7^-hybrid model. That is, for any 
real-life adversary A there exists an adversary 'H. in the .7^-hybrid model such 
that no environment machine Z can tell with non-negligible probability whether 
it is interacting with A and in the real-life model or it is interacting with 'H. 
and 7T in the .F-hybrid model.. 

A more specific corollary of the general theorem states that if tt securely 
realizes some functionality Q in the .F-hybrid model, and p securely realizes T in 
the real-life model, then securely realizes Q in the real-life model. (Here one 
has to define what it means to securely realize functionality Q in the .F-hybrid 
model. This is done in the natural way.) 

Theorem 1 ([cOOa]). Let T,Q be ideal functionalities. Let tt be an n-party 
protocol that realizes Q in the if-hybrid model and let p be an n-party protocol 
that securely realizes T Then protocol securely realizes Q. 

Protocol composition in the CRS model. Some words of clarification are in order 
with respect to the composition theorem in the CRS model. Specifically, it is stressed 
that each copy of protocol p within the composed protocol should have its own 
copy of the reference string, or equivalently uses a separate portion of a long string. 
(If this is not the case then the theorem no longer holds in general.) As seen below, 
the behavior of protocols where several copies of the protocol use the same instance of 
the reference string can be captured using ideal functionalities that represent multiple 
copies of the protocol within a single copy of the functionality. 

2.2 The Commitment Functionalities 

We propose ideal functionalities that represent the intuitive “envelope-like” prop- 
erties of commitment, as sketched in the introduction. Two functionalities are 
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presented: functionality Team that handles a single commitment-decommitment 
process, and functionality Tmcom that handles multiple such processes.. (Indeed, 
in the plain model functionality Tmcom would be redundant, since one can use 
the composition theorem to obtain protocols that securely realize Tmcom from 
any protocol that securely realizes Team- However, in the CRS model realizing 
Tmeom is considerably more challenging than realizing Team-) Some further dis- 
cussion on the functionalities and possible variants appears in [cfOI]. 

Both functionalities are presented as bit commitments. Commitments to 
strings can be obtained in a natural way using the composition theorem. It is 
also possible, in principle, to generalize Team and Tmeom to allow commitment 
to strings. Such extensions may be realized by string-commitment protocols that 
are more efficient than straightforward composition of bit commitment protocols. 
Finding such protocols is an interesting open problem. 



Functionality Team 

Team proceeds as follows, running with parties Pi, ..., Pn and an adversary S. 

1. Upon receiving a value (Commit, sid, P;, Pj, fe) from Pi, where b G {0,1}, 
record the value b and send the message (Receipt, sid, Pi, Pj) to Pj and 
S. Ignore any subsequent Commit messages. 

2. Upon receiving a value (.Open, sid, Pi, Pj) from Pi, proceed as fol- 
lows: If some value b was previously recoded, then send the message 
(Open, sid. Pi, Pj, b) to Pj and S and halt. Otherwise halt. 



Fig. 1. The Ideal Commitment functionality for a single commitment 



Functionality Tcom, described in Figure 1, proceeds as follows. The commit- 
ment phase is modeled by having Team receive a value (Commit, sid, P^, Py, 6), 
from some party Pi (the committer). Here sid is a Session ID used to distinguish 
among various copies of Tcom, Pj is the identity of another party (the receiver), 
and b G {0, 1} is the value committed to. In response. Team lets the receiver 
Pj and the adversary S know that Pj has committed to some value, and that 
this value is associated with session ID sid. This is done by sending the message 
(Receipt, sid, Pj, Pj) to Pj and S. The opening phase is initiated by the com- 
mitter sending a value (Open, sid, Pt, Pj) to Team- In response. Team hands the 
value (0-pen, sid. Pi, Pj,b) to Pj and S. 

Functionality Tmeom, presented in Figure 2, essentially mimics the operation 
of Tcom for an unbounded number of times. In addition to the session ID sid, 
functionality Tmeom uses an additional identifier, a Commitment ID cid, that is 
used to distinguish among the different commitments that take place within a 
single run of Tmeom- The record for a committed value now includes the Commit- 
ment ID, plus the identities of the committer and receiver. To avoid ambiguities, 
no two commitments with the same committer and verifier are allowed to have 
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the same Commitment ID. It is stressed that the various Commit and Open re- 
quests may be interleaved in an arbitrary way. Also, note that Tmcom allows a 
committer to open a commitment several times (to the same receiver). 



Functionality Tm^om 

Tmcom proceeds as follows, running with parties Pi, ..., P„ and an adversary S. 

1. Upon receiving a value {Commit, sid, cid, Pi, Pj ,b) from Pi, where 
b G {0,1}, record the tuple (cid,Pi,Pj,b) and send the mes- 
sage (Receipt, sid, cid. Pi, Pj) to Pj and S. Ignore subsequent 
(Commit, sid, cid. Pi, Pj , ...) values. 

2. Upon receiving a value {Open, sid, cid. Pi, Pj) from Pi, proceed as fol- 
lows: If the tuple {cid. Pi, Pj,b) is recorded then send the message 
(Open, sid, cid. Pi, Pj,b) to Pj and S. Otherwise, do nothing. 



Fig. 2. The Ideal Commitment functionality for multiple commitments 



Definition 3. A protocol is a universally composable (uc) commitment protocol 
if it securely realizes functionality Tcom- If the protocol securely realizes Tmcom 
then it is called a reusable-CRS UC commitment protocol. 

Remark: On duplicating commitments. Notice that functionalities iFcom 
and Tmcom disallow “copying commitments” . That is, assume that party A com- 
mits to some value x for party B, and that the commitment protocol in use allows 
B to commit to the same value x for some party C, before A decommitted to x. 
Once A decommits to x for B, B will decommit to x for C. Then this protocol 
does not securely realize iPcom or tFmcom- This requirement may seem hard to 
enforce at first, since B can always play “man in the middle” (i.e., forward A’s 
messages to C and C’s messages to A.) We enforce it using the unique identities 
of the parties. (Recall that unique identities are assumed to be provided via an 
underlying lower-level protocol that also guarantees authenticated communica- 
tion.) 



3 Universally Composable Commitment Schemes 

We present two constructions of UC commitment protocols in the common refer- 
ence string model. The protocol presented in Section 3.1 securely realizes func- 
tionality Tcom-, be. each part of the public string can only be used for a single 
commitment. It is based on any trapdoor permutation. The protocol presented 
in Section 3.2 securely realizes Tmcom, be. it reuses the public string for multiple 
commitments. This protocol requires potentially stronger assumptions (either 
existence of claw-free pairs of trapdoor permutations or alternatively the hard- 
ness of discrete log). 
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3.1 One-Time Common Reference String 



The construction in this section works in the common random string model where 
each part of the commitment can be used only once for a commitment. It is based 
on the equivocable bit commitment scheme of Di Crescenzo et al. [dio98], which 
in turn is a clever modification of Naor’s commitment scheme [n91]. 

Let G be a pseudorandom generator stretching n-bit inputs to 4n-bit outputs. 
For security parameter n the receiver in [n91] sends a random 4n-bit string a to 
the sender, who picks a random r G {0, 1}", computes G(r) and returns G(r) or 
G(r) © CT to commit to 0 and 1, respectively. To decommit, the sender transmits 
b and r. By the pseudorandomness of G the receiver cannot distinguish both 
cases, and with probability 2“^” over the choice of a it is impossible to find 
openings tq and ri such that G(ro) = G(ri) © cr. 

In [dio98] an equivocable version of Naor’s scheme has been proposed. Sup- 
pose that cr is not chosen by the receiver, but rather is part of the common 
random string. Then, if instead we set a = Giro) © G(ri) for random rp, ri, and 
let the sender give G(ro) to the receiver, it is later easy to open this commitment 
as 0 with ro as well as 1 with ri (because G(ro) © cr = G(ri)). On the other 
hand, choosing cr in that way in indistinguishable from a truly random choice. 

We describe a UC bit commitment protocol UCConeTime (for universally com- 
posable commitment scheme in the one-time-usable common reference string 
model). The idea is to use the [dio98] scheme with a special pseudorandom 
generator, namely, the Blum-Micali-Yao generator based on any trapdoor per- 
mutation [y82,bm84]. Let KGen denote an efficient algorithm that on input 1" 
generates a random public key pk and the trapdoor td. The key pk describes 
a trapdoor permutation over {0, 1}". Let B(-) be a hard core predicate for 
fpk- Define a pseudorandom generator expanding n bits to 4n bits with public 
description pk by 

Gpkir) = B{flf-^\r)),...,B{fpkir)),B{r)) 



where fp^ (r) is the t-th fold application of fpk to r. An important feature of 
this generator is that given the trapdoor td to pk it is easy to recognize images 
,G {0,1}- under G,r. 

The public random string in our scheme consists of a random 4n-bit string 
cr, together with two public keys pkg,pki describing trapdoor pseudorandom 
generators Gpk^ and Gpk^; both generators stretch n-bit inputs to 4n-bit output. 
The public keys pko,pki are generated by two independent executions of the key 
generation algorithm KGen on input 1". Denote the corresponding trapdoors by 
tdo and tdi, respectively. 

In order to commit to a bit b G {0,1}, the sender picks a random string 
r G {0, 1}", computes Gpk^{r), and sets y = Gpk^(r) if 6 = 0, or y = Gpk^{r)(Bcr 
for b = 1. The sender passes y to the receiver. In the decommitment step the 
sender gives (6, r) to the receiver, who verifies that y=Gpk^{r) for & = 0 or that 
y = Gpk^{r) © cr for & = 1. See also Figure 3. 
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Commitment scheme UCConeXime 

public string: 

a — random string in {0, 1}"^" 

pkg,pk^ — keys for generators Gpkf^,Gpk^ : {0, 1}" — >• {0, 1}"‘" 

commitment for b G {0, 1} with SID sid: 

compute Gpk^{r) for random r £ {0, 1}" 

set y = Gpk^^ ir) for fe = 0, or j/ = Gpk^ (r) © a for 6 = 1 

send (Com, sid, y) to receiver 

decommitment for y: 

send 6, r to receiver 

? ? 

receiver checks y = Gpk^ (r) for b — 0, or y = Gpk,, (r) © cr for fe = 1 



Fig. 3. Commitment Scheme in the One-Time-Usable Common Reference String Model 



Clearly, the scheme is computationally hiding and statistically binding. An 
important observation is that our scheme inherits the equivocability property of 
[dio98]. In a simulation we replace a by Gpfcg(ro) © Gpk^{ri) and therefore, if 
we impersonate the sender and transmit y = Gpk(ro) to a receiver, then we can 
later open this value with 0 by sending xq and with 1 via xi. 

Moreover, if we are given a string y*, e.g., produced by the adversary, and 
we know the trapdoor tdo to pkg, then it is easy to check if y* is an image under 
Gpk^^ and therefore represents a 0-commitment. Unless y* belongs to Gpk^ and, 
simultaneously, y*(Bcr belongs to the encapsulated bit is unique and we can 

extract the correct value with tdo. (We stress, however, that this property will 
not be directly used in the proof. This is so since there the CRS has a different 
distribution, so a more sophisticated argument is needed.) 

To summarize, our commitment scheme supports equivocability and extrac- 
tion. The proof of the following theorem appears in [cfOI]. 

Theorem 2. Protocol UCConeXime securely realizes functionality Team in the 
CRS model. 

3.2 Reusable Common Reference String 

The drawback of the construction in the previous section is that a fresh part of 
the random string must be reserved for each committed bit. In this section, we 
overcome this disadvantage under a potentially stronger assumption, namely the 
existence of claw-free trapdoor permutation pairs. We concentrate on a solution 
that only works for erasing parties in general, i.e., security is based on the parties’ 
ability to irrevocably erase certain data as soon as they are supposed to. At the 
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end of this section we sketch a solution that does not require data erasures. This 
solution is based on the Decisional Diffie-Hellman assumption. 

Basically, a claw-free trapdoor permutation pair is a pair of trapdoor permu- 
tations with a common range such that it is hard to find two elements that are 
preimages of the same element under the two permutations. More formally, a key 
generation KGericiaw outputs a random public key prelaw a trapdoor tdciaw 
The public key defines permutations /i,pfeda„ • {0) 1}" {0) 1}"> whereas 

the secret key describes the inverse functions ^ ^ . It should be in- 

feasible to find a claw Xq,Xi with fo,pk,,^{xo) = fi,pk,t^{xi) given only 
For ease of notation we usually omit the keys and write /o, /i, /o"^> fi^ instead. 
Claw-free trapdoor permutation pairs exist for example under the assumption 
that factoring is hard [CMRiSS]. For a more formal definition see [g95]. 

We also utilize an encryption scheme E = (KGen, Enc, Dec) secure against 
adaptive-chosen ciphertext attacks, i.e., in the notation of [bdpr98] the encryp- 
tion system should be IND-CCA2. On input 1" the key generation algorithm 
KGen returns a public key pkg and a secret key skg. An encryption of a message 
m is given by c^EnCpfc^ (m), and the decryption of a ciphertext c is Dec 5 fcj(c). 
It should always hold that DeCsfcj(c) = m for c<— EnCp^^ (m), i.e., the system 
supports errorless decryption. Again, we abbreviate EnCpfc^(-) by Enc(-) and 
DeCsfcg(-) by Dec(-). IND-CCA2 encryption schemes exist for example under the 
assumption that trapdoor permutations exist [ddnOO]. A more efficient solution 
is based on the decisional Diffie-Hellman assumption [cs98] . Both schemes have 
errorless decryption. 

The commitment scheme UGGReUse (for universally composable commitment 
with reusable reference string) is displayed in Figure 4. The (reusable) public 
string contains random public keys pk^^^^ and pk g . For a commitment to a bit b 
the sender Pi applies the trapdoor permutation ft, to a random x € {0, 1}", com- 
putes Cf,-(—EnCpk^(x, Pi) and ci-i,-(—EnCpkg(0", Pi), and sends the tuple (y,co,ci) 
with y = fb{x) to the receiver. The sender is also instructed to erase the ran- 
domness for the encryption of (0",Pi) before the commitment message is sent. 
This ciphertext is called a dummy ciphertext. 

To open the commitment, the committer Pi sends b, x and the randomness 
used for encrypting (x,Pi). The receiver Pj verifies that y = fb{x), that the 
encryption randomness is consistent with Cb, and that cid was never used before 
in a commitment of Pi to Pj . 

We remark that including the sender’s identity in the encrypted strings plays 
an important role in the analysis. Essentially, this precaution prevents a cor- 
rupted committer from “copying” a commitment generated by an uncorrupted 
party. 

The fact that the dummy ciphertext is never opened buys us equivocability. 
Say that the ideal-model simulator knows the trapdoor of the claw-free permu- 
tation pair. Then it can compute the pre-images xt),xi of some y under both 
functions /o,/i and send y as well as encryptions of (xo,Pi) and (xi,Pi). To 
open it as 0 hand 0 ,xq and the randomness for ciphertext (xo,Pi) to the re- 
ceiver and claim to have erased the randomness for the other encryption. For a 
1-decommitment send l,Xi, the randomness for the encryption of (xi,Pi) and 
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Commitment scheme UCCReUse 

public string: 

Prelaw — public key for claw- free trapdoor permutation pair /o, fi 
pkg — public key for encryption algorithm Enc 

commitment by party Pi to party Pj to b G {0, 1} with identifier sid, cid: 

compute y = fb{x) for random x € {0, 1}"; 
compute C6<— Enc(a:, Pi) with randomness rb\ 
compute Ci_6<—Enc(0", Pi) with randomness 
erase r\-h\ 

send (Com, sid, cid, (y, co, ci)), and record (sid, cid, b, x, rt). 

Upon receiving (Com, sid, cid, (y, co, ci)) from Pi, 

Pj outputs (Receipt, sid, cid. Pi, Pj)) 

decommitment for (Pi,Pj, sid, cid, b, x, rs): 

Send (Dec, sid, cid, b, x, rs) to Pj. 

? 

Upon receiving (Dec, sid, cid, b, x, rs), Pj verifies that y = fb(x), 
that Cb is encryption of (x. Pi) under randomness rs 
where Pi is the committer’s identity 

and that cid has not been used with this committer before. 



Fig. 4. Commitment Scheme with Reusable Reference String 



deny to know the randomness for the other ciphertext. If the encryption scheme 
is secure then it is intractable to distinguish dummy and such fake encryptions. 
Hence, this procedure is indistinguishable from the actual steps of the honest 
parties. 

Analogously to the extraction procedure for the commitment scheme in the 
previous section, here an ideal-process adversary can also deduce the bit from an 
adversarial commitment (j/*,Cq,cJ) if it knows the secret key of the encryption 
scheme. Specifically, decrypt Cq to obtain (cCq,P*); if Xq maps to y* under /q 
then let the guess be 0, else predict 1. This decision is only wrong if the adversary 
has found a claw, which happens only with negligible probability. The proof of 
the following theorem appears in [cfOI]. 

Theorem 3. Protocol UCCReUse securely realizes functionality Tmcom iti the CRS 
model. 

A solution for non-erasing parties. The security of the above scheme depends 
on the ability and good-will of parties to securely erase sensitive data (specifically, to 
erase the randomness used to generate the dummy ciphertext). A careful look shows 
that it is possible to avoid the need to erase: It is sufficient to be able to generate a 
ciphertext without knowing the plaintext. Indeed, it would be enough to enable the 
parties to obliviously generate a string that is indistinguishable from a ciphertext. 
Then the honest parties can use this mechanism to produce the dummy ciphertext. 
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while the simulator is still able to place the fake encryption into the commitment. For 
example, the Cramer-Shoup system in subgroup G of Z* has this property under the 
decisional Diffie-Hellman assumption: To generate a dummy ciphertext simply generate 
four random elements in G. 

Relaxing the need for claw-free pairs. The above scheme was presented and 
proven using any claw-free pair of trapdoor permutations. However, it is easy to see 
that the claw- free pair can be substituted by chameleon commitments a la [bcc88], 
thus basing the security of the scheme on the hardness of the discrete logarithm or 
factoring. Further relaxing the underlying hardness assumptions is an interesting task. 



4 Impossibility of UC Commitments in the Plain Model 

This section demonstrates that in the plain model there cannot exist univer- 
sally composable commitment protocols that do not involve third parties in the 
interaction and allow for successful completion when both the sender and the 
receiver are honest. This impossibility result holds even under the more liberal 
requirement that for any real-life adversary and any environment there should be 
an ideal-model adversary (i.e., under a relaxed definition where the ideal-model 
simulator may depend on the environment). 

We remark that universally composable commitment protocols exist in the 
plain model if the protocol makes use of third parties, as long as a majority of the 
parties remain uncorrupted. This follows from a general result in [cOOa], where 
it is shown that practically any functionality can be realized in this setting. 

Say that a protocol tt between n parties Pi, . . . , is bilateral if all except two 
parties stay idle and do not transmit messages. A bilateral commitment protocol 
7T is called terminating if, with non-negligible probability, the receiver Pj accepts 
a commitment of the honest sender Pi and outputs (Receipt, szd, Pj, Pj), and 
moreover if the receiver, upon getting a valid decommitment for a message m 
and sid from the honest sender, outputs (Open, sid, Pi, Pj,m) with non-negligible 
probability. 

Theorem 4. There exists no bilateral, terminating protocol tt that securely re- 
alizes functionality Team in the plain model. This holds even if the ideal-model 
adversary S is allowed to depend on the environment Z. 

Proof. The idea of the proof is as follows. Consider a protocol execution between an 
adversarially controlled committer Pi and an honest receiver Pj, and assume that 
the adversary merely sends messages that are generated by the environment. The 
environment secretly picks a random bit b at the beginning and generates the messages 
for Pi by running the protocol of the honest committer for b and Pj ’s answers. In order 
to simulate this behavior, the ideal-model adversary S must be able to provide the 
ideal functionality with a value for the committed bit. For this purpose, the simulator 
has to “extract” the committed bit from the messages generated by the environment, 
without the ability to rewind the environment. However, as will be seen below, if the 
commitment scheme allows the simulator to successfully extract the committed bit, 
then the commitment is not secure in the first place (in the sense that a corrupted 
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receiver can obtain the value of the committed bit from interacting with an honest 
committer). 

More precisely, let the bilateral protocol tt take place between the sender Pi and 
the receiver Pj. Consider the following environment Z and real-life adversary A. At 
the outset of the execution the adversary A corrupts the committer Pi. Then, in the 
sequel, A has the corrupted committer send every message it receives from Z, and 
reports any reply received by Pj to Z. The environment Z secretly picks a random 
bit b and follows the program of the honest sender to commit to b, as specified by tt. 
Once the the honest receiver has acknowledged the receipt of a commitment, Z lets A 
decommit to b by following protocol tt. Once the receiver outputs (Open, sid, Pi, Pj, b'), 
Z outputs 1 if 6 = and outputs 0 otherwise. 

Formally, suppose that there is an ideal-model adversary S such that REAL,r,. 4,2 
Then we construct a new environment Z' and a new real-life adversary 
A' for which there is no appropriate ideal-model adversary for tt. This time, A' corrupts 
the receiver Pj at the beginning. During the execution A' obtains messages form the 
honest committer Pi and feeds these messages into a virtual copy of S. The answers of S, 
made on behalf of an honest receiver, are forwarded to Pi in the name of the corrupted 
party Pj. At some point, S creates a submission {Commit, sid. Pi, Pj ,b') to Team', the 
adversary A! outputs b' and halts. If S halts without creating such a submission then 
A! outputs a random bit and halts. 

The environment Z' instructs the honest party Pi to commit to a randomly chosen 
secret bit b. (No decommitment is ever carried out.) Conclusively, Z' outputs 1 iff the 
adversary’s output b' satisfies b — b' . 

By the termination property, we obtain from the virtual simulator S a bit b' with 
non-negligible probability. This bit is a good approximation of the actual bit b, since 
S simulates the real protocol tt except with negligible error. Hence, the guess of A' for 
b is correct with 1/2 plus a non-negligible probability. But for a putative ideal-model 
adversary S' predicting this bit b with more than non-negligible probability over 1/2 
is impossible, since the view of S' in the ideal process is statistically independent from 
the bit b. (Recall that the commitment to b is never opened). 



5 Application to Zero-Knowledge 

In order to exemplify the power of UC commitments we show how they can be 
used to construct simple Zero-Knowledge (ZK) protocols with strong security 
properties. Specifically, we formulate an ideal functionality, iF^kj that captures 
the notion of Zero-Knowledge in a very strong sense. (In fact, J^zk implies con- 
current and non-malleable Zero-Knowledge proofs of knowledge.) We then show 
that in the iFcom-hybrid model (i.e., in a model with ideal access to Team) there 
is a 3-round protocol that securely realizes Tzk with respect to any NP relation. 
Using the composition theorem of [cOOa], we can replace Team with any uc 
commitment protocol. (This of course requires using the CRS model, unless we 
involve third parties in the interaction. Also, using functionality Tmeom instead 
of Tcom is possible and results in a more efficient use of the common string.) 

Functionality Tzk-, described in Figure 5, is parameterized by a binary relation 
R{x,w). It first waits to receive a message (verifier, id, Pj, cc) from some 
party Pi, interpreted as saying that Pj wants Pj to prove to Pj that it knows 
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a value w such that R{x, w) holds. Next, waits for Pj to explicitly provide 
a value w, and notifies Pi whether R{x, w) holds. (Notice that the adversary 
is notified whenever either the prover or the verifier starts an interaction. It is 
also notified whether the verifier accepts. This represents the fact that ZK is not 
traditionally meant to hide this information.) 



Functionality P^k 

Tzk proceeds as follows, running with parties Pi,...,Pn and an adversary S. 

The functionality is parameterized by a binary relation R. 

1. Wait to receive a value (verifier, id, Pi, Pj,x) from some party Pi. Once 
such a value is received, send (verifier, id, Pi,Pj,x) to S, and ignore all 
subsequent (verifier. . .) values. 

2. Upon receipt of a value (prover, id, Pj, Pi, r', in) from Pj, let u = 1 if 
X = x' and R{x, w) holds, and u = 0 otherwise. Send (id, v) to Pi and S, 
and halt. 



Fig. 5. The Zero-Knowledge functionality, Pzk 



We demonstrate a protocol for securely realizing for any NP relation R. 
The protocol is a known one: It consists of n parallel repetitions of the 3-round 
protocol of Blum for graph Hamiltonicity, where the provers commitments are 
replaced by invocations of Team- The protocol (in the Pcom-hybrid model) is 
presented in Figure 6. 

We remark that in the iPcom-hybrid model the protocol securely realizes Tzk 
without any computational assumptions, and even if the adversary and the envi- 
ronment are computationally unbounded. (Of course, in order to securely realize 
Team the adversary and environment must be computationally bounded.) Also, 
in the Pcom“tiybrid model there is no need in a common reference string. That 
is, the CRS model is needed only for realizing Team- 

Let T^f. denote functionality Tzk parameterized by the Hamiltonicity relation 
p[. (I.e., H{G,h) = 1 iff ft, is a Hamiltonian cycle in graph G.) The following 
theorem is proven in [cfOI]. 



Theorem 5. Protocol HC securely realizes in the Tcom-hyhrid model. 



Acknowledgements. We thank Yehuda Lindell for suggesting to use non- 
malleable encryptions for achieving non-malleability of commitments in the com- 
mon reference string model. This idea underlies our scheme that allows to reuse 
the common string for multiple commitments. (The same idea was independently 
suggested in [dkosOI].) 
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Protocol Hamilton-Cycle (hc) 

1. Given input (Proven, id, P, V, G, h) , where G is a graph over nodes 1, n, 
the prover P proceeds as follows. If h is not a Hamiltonian cycle in G, 
then P sends a message reject to V. Otherwise, P proceeds as follows 
for k = 1 , ..., n: 

a) Choose a random permutation tta, over [n\. 

b) Using Team, commit to the edges of the permuted graph. That is, for 
each (i,j) £ [n]^ send (Commit , (i, j, k), P, V, e) to Team, where e = 1 
if there is an edge between iikii) and Tik{j) in G, and e = 0 otherwise. 

c) Using J-com, commit to the permutation -Kk- That is, for I — 1, ...,L 
send (Commit , {I, k), P, V,pi) to Pcom where pi, ...,pl is a representa- 
tion of TTfc in some agreed format. 

2. Given input (Verifier, id, U, P, G) , the veriher V waits to receive either 
reject from P, or (Receipt , (i,j, fc), P, U) and (Receipt , (1, fc), P, U) 
from Team, for i,j, k = 1 , ..., n and I — 1 , ..., L. If reject is received, then 
V output 0 and halts. Otherwise, once all the (Receipt , . . . ) messages 
are received V randomly chooses n bits ci, ...,Cn and sends to P. 

3. Upon receiving ci, ...,c„ from V, P proceeds as follows for k = 1, 

a) If Cfc = 0 then send (Open, (i, j, fc), P, U) and (Open, (1, fc), P, U) to 
Pcom for all i,j — 1, ..., n and / = 1, ..., L. 

b) If Cfc = 1 then send (Open, (i, j, fc), P, U) to Pcom for all i,j = 1, ...,n 
such that the edge 'Kk{i),Tfk{j) is in the cycle h. 

4. Upon receiving the appropriate (Open, . . . ) messages from Pcom, the ver- 
ifier V verifies that for all k such that Ck = 0 the opened edges agree with 
the input graph G and the opened permutation tt^, and for all k such 
that Cfc = 1 the opened edges are all 1 and form a cycle. If verification 
succeeds then output 1, otherwise output 0. 



Fig. 6. The protocol for proving Hamiltonicity in the Pcom-hybrid model 
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Abstract. We deal with the problem of a center sending a message 
to a group of users such that some subset of the users is considered 
revoked and should not be able to obtain the content of the message. 
We concentrate on the stateless receiver case, where the users do not 
(necessarily) update their state from session to session. We present a 
framework called the Subset-Cover iramework, which abstracts a variety 
of revocation schemes including some previously known ones. We pro- 
vide sufficient conditions that guarantees the security of a revocation 
algorithm in this class. 

We describe two explicit Subset-Cover revocation algorithms; these algo- 
rithms are very flexible and work for any number of revoked users. The 
schemes require storage at the receiver of log N and | log^ N keys respec- 
tively {N is the total number of users), and in order to revoke r users the 
required message lengths are of r log N and 2r keys respectively. We also 
provide a general traitor tracing mechanism that can be integrated with 
any Subset-Cover revocation scheme that satisfies a “bifurcation prop- 
erty” . This mechanism does not need an a priori bound on the number 
of traitors and does not expand the message length by much compared 
to the revocation of the same set of traitors. 

The main improvements of these methods over previously suggested 
methods, when adopted to the stateless scenario, are: (1) reducing 
the message length to 0{r) regardless of the coalition size while 
maintaining a single decryption at the user’s end (2) provide a 
seamless integration between the revocation and tracing so that the trac- 
ing mechanisms does not require any change to the revocation algorithm. 

Keywords: Broadcast Encryption, Revocation scheme. Tracing scheme. 
Copyright Protection. 
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1 Introduction 

The problem of a Center transmitting data to a large group of receivers so 
that only a predefined subset is able to decrypt the data is at the heart of a 
growing number of applications. Among them are pay-TV applications, multicast 
communication, secure distribution of copyright-protected material (e.g. music) 
and audio streaming. The area of Broadcast Encryption deals with methods to 
efficiently broadcast information to a dynamically changing group of users who 
are allowed to receive the data. It is often convenient to think of it as a Revocation 
Scheme, which addresses the case where some subset of the users are excluded 
from receiving the information. In such scenarios it is also desirable to have a 
Tracing Mechanism, which enables the efficient tracing of leakage, specifically, 
the source of keys used by illegal devices, such as pirate decoders or clones. 

One special case is when the receivers are stateless. In such a scenario, a (le- 
gitimate) receiver is not capable of recording the past history of transmissions 
and change its state accordingly. Instead, its operation must be based on the 
current transmission and its initial configuration. Stateless receivers are impor- 
tant for the case where the receiver is a device that is not constantly on-line, 
such as a media player (e.g. a CD or DVD player where the “transmission” is the 
current disc), a satellite receiver (GPS) and perhaps in multicast applications. 
The stateless scenario is particularly relevant to the application of Copyright 
Protection. 

This paper introduces very efficient revocation schemes which are especially 
suitable for stateless receivers. Our approach is quite general. We define a frame- 
work of such algorithms, called Subset-Cover algorithms, and provide a sufficient 
condition for an algorithm in this family to be secure. We suggest two particular 
constructions of schemes in this family; the performance of the second method 
is substantially better than any previously known algorithm for this problem 
(see Section EH). We also provide a general property (‘bifurcation’) of revoca- 
tion algorithms in our framework that allows efficient tracing methods, without 
modifying the underlying revocation scheme. 

Notation: Let N be the total number of users in the system let r be the size of 
the revoked set TZ. 



1.1 Related Work 

Broadcast Encryption. The area of Broadcast Encryption was first formally stud- 
ied (and coined) by Fiat and Naor in [I2| and has received much attention since 
then. To the best of our knowledge the scenario of stateless receivers has not been 
considered explicitly in the past in a scientific paper. In principle any scheme 
that works for the connected mode, where receivers can remember past commu- 
nication, may be converted to a scheme for stateless receivers (such a conversion 
may require to include with any transmission the entire ‘history’ of revocation 
events). Hence, when discussing previously proposed schemes we will consider 
their performance as adapted to the stateless receiver scenario. 
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A parameter that was often considered is t, the upper bound on the size of 
the coalition an adversary can assemble. The algorithms in this paper do not 
require such a bound and we can think of t = r; on the other hand some previ- 
ously proposed schemes depend on t but are independent of r. The Broadcast 
Encryption method of m allows the removal of any number of users as long as 
at most t of them collude; the message length is O(tlog^t), a user must store 
a number of keys that is logarithmic in t and is required to perform 0{r/t) 
decryptions. 

The logical-tree-hierarchy (LKH) scheme, suggested independently by Wall- 
ner et al. m and Wong et al. pni, is designed for the connected mode for 
multicast applications. If used in the stateless scenario it requires to transmit 
2rlogA^, store logA^ keys at each user and perform rlogiV encryptions (these 
bounds are somewhat improved in j5lti2()j ). The key assignment of this scheme 
and the key assignment of our first method are similar (see Sect. 13.1 1 for com- 
parison) . 

Luby and St addon m considered the information theoretic setting and de- 
vised bounds for any revocation algorithms under this setting. Their “Or Pro- 
tocol” fits our Subset-Cover framework; our second algorithm (the Subset Dif- 
ference method) which is not information theoretic, beats their lower bound 
(Theorem 12 in (E))- In Garay et al. m keys of compromised decoders are no 
longer used and the scheme is adapted so as to maintain security for the good 
users. The method of Kumar et. al. enables one-time revocation of up to r 
users with message lengths of 0{r log N) and O(r^). CPRM ^I]( is one of the 
methods that explicitly considers the stateless scenario. 

Tracing Mechanisms. Tracing systems, introduced by Chor et al. |3 and later 
refined to the Threshold Traitor model 1231, 0, distribute decryption keys to 
the users so as to allow the detection of at least one ‘identity’ of a key that 
is used in a pirate box which was constructed using keys of at most t users. 
Black-hox tracing assumes that only the outcome of the decoding box can be 
examined. The construction of P3] guarantees tracing with high probability; it 
required 0(tlogN) keys at each user, a single decryption operation and message 
length is 4t. The public key tracing scheme of Boneh and Franklin jSj provides a 
number-theoretic deterministic method for tracing. Note that in all of the above 
methods t is an a-priori bound. Another notion, the one of Content Tracing, 
attempts to detect illegal users who redistribute the content after it is decoded 
(see BH3EE])- 

Integration of tracing and revocation. Broadcast encryption can be combined 
with tracing schemes to yield trace-and-revoke schemeqj, a powerful approach 
to prevent illegal leakage of keys (others include the legal approach and the 
self enforcement approach fH). While Gafni et al. and Stinson and Wei |2H1 
consider combinatorial constructions, the schemes in Naor and Pinkas 123! are 
computational constructions and hence more general. The previously best known 



^ However it is not the case that every system which enables revocation and enables 
tracing is a trace-and-revoke scheme. 
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trace-and-revoke algorithm of m can tolerate a coalition of at most t users. It 
requires to store 0{t) keys at each user and to perform 0{r) decryptions; the 
message length is r keys, however these keys are elements in a group where the 
Decisional Difhe-Hellman problem is difficult, and hence these keys are longer 
than symmetric ones. The tracing model of |23| is not a “pure” black-box model. 
(Anzai et al. Q employs a similar method for revocation, but without tracing 
capabilities.) 



1.2 Summary of Results 

In this paper we define a generic framework encapsulating several previously pro- 
posed revocation methods (e.g. the “Or Protocol” of isi), called Subset-Cover al- 
gorithms. These algorithms are based on the principle of covering all non-revoked 
users by disjoint subsets from a predefined collection, together with a method for 
assigning (long-lived) keys to subsets in the collection. We define the security of 
a revocation scheme and provide a sufficient condition (key-indistinguishability) 
for a revocation algorithm in the Subset-Cover Framework to be secure. An im- 
portant consequence of this framework is the separation between long-lived keys 
and short-term keys. The framework can be easily extended to the public-key 
scenario. 

We provide two new instantiations of revocation schemes in the Subset-Cover 
Framework, with a different performance tradeoff (summarized in Table ffli . 
Both instantiations are tree-based, namely the subsets are derived from a vir- 
tual tree structure imposed on all devices in the system0. The first requires a 
message length of rlogA^ and storage of logA^ keys at the receiver and con- 
stitutes a moderate improvement over previously proposed schemes; the second 
exhibits a substantial improvement: it requires a message length of 2r — 1 (in the 
worst case, or 1.38r in the average case) and storage of ^ log^ N keys at the re- 
ceiver. This improvement is (provably) due to the fact that the key assignment 
is computational and not information theoretic (for the information theoretic 
case there exists a lower bound which exhibits its limits, see El). Furthermore, 
these algorithms are r-flexible, namely they do not assume an upper bound of 
the number of revoked receivers. 

Thirdly, we present a tracing mechanism that works in tandem with a Subset- 
Cover revocation scheme. We identify the bifurcation property for a Subset-Cover 
scheme. Our two constructions of revocation schemes posses this property. We 
show that every scheme that satisfies the bifurcation property can be combined 
with the tracing mechanism to yield a trace-and-revoke scheme. The integration 

^ Note that the comparison in the processing time between the two methods treats 
an application of a pseudo-random generator and a lookup operation as having the 
same cost, even though they might be quite different. More explicitly, the processing 
of both methods consists of 0(loglog A) lookups; in addition, the Subset Difference 
method requires at most log N applications of a pseudo-random generator. 

^ An alternative view is to map the receivers to points on a line and the subsets as 
segments. 
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of the two mechanisms is seamless in the sense that no change is required for any 
one of them. Moreover, no a-priori bound on the number of traitors is needed for 
our tracing scheme. In order to trace t illegal users, the first revocation method 
requires a message length of t log N, and the second revocation method requires 
a message length of 5t. 

Main Contributions: the main improvements that our methods achieve over 
previously suggested methods, when adopted to the stateless scenario, are: 

— Reducing the message length to linear in r regardless of the coalition size, 
while maintaining a single decryption at the user’s end. This applies also to 
the case where public keys are used, without a substantial length increase. 

— The seamless integration between revocation and tracing: the tracing mecha- 
nism does not require any change of the revocation algorithm and no a priori 
bound on the number of traitors, even when all traitors cooperate among 
themselves. 

— The rigorous treatment of the security of such schemes, identifying the effect 
of parameter choice on the overall security of the scheme. 



Method 


Message Length 


Storage@Receiver 


Processing time 


decryptions 


Complete Subtree 


?-log ^ 


log A 


O(loglogiV) 


1 


Subset Difference 


2r - 1 


ilog^iV 


O(logiV) 


1 



Fig. 1. Performance tradeoff for the Complete Subtree method and the Subset Differ- 
ence method 



Organization of the paper. Section El describes the framework for Subset-Cover 
algorithms and a sketch of the main theorem characterizing the security of a 
revocation algorithm in this family (the security is described in details in the 
full version of the paper) . Section E| describes two specific implementations of 
such algorithms. Section Id.dl gives an overview of few implementation issues, 
public-key methods and hierarchical revocation, as well as applications to copy 
protection and secure multicast. Section 0| provides a traitors-tracing algorithm 
that works for every revocation algorithm in the Subset-Cover framework and an 
improvement specifically suited for the Subset-Difference revocation algorithm. 



2 The Subset-Cover Revocation Framework 

2.1 Preliminaries - Problem Definition 

Let J\f be the set of all users, \Af\ = N, and 7?. C Af be a group of \TZ\ = r 
users whose decryption privileges should be revoked. The goal of a revocation 
algorithm is to allow a center to transmit a message M to all users such that 
any user u G Af \ TZ can decrypt the message correctly, while even a coalition 
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consisting of all members of TZ cannot decrypt it. The definition of the latter is 
provided in Sect. E3 

A system consists of three parts: (1) An initiation scheme, which is a method 
for assigning the receivers secret information that will allow them to decrypt. (2) 
The broadcast algorithm - given a message M and the set TZ of users that should 
be revoked outputs a ciphertext message M' that is broadcast to all receivers. 
(3) A decryption algorithm - a (non-revoked) user that receives ciphertext M' 
using its secret information should produce the original message M . Since the 
receivers are stateless, the output of the decryption should be based on the 
current message and the secret information only. 



2.2 The Framework 

We present a framework for algorithms which we call Subset-Cover. In this frame- 
work an algorithm defines a collection of subsets Si,. .. ,Sw, Sj C J\f. Each sub- 
set Sj is assigned (perhaps implicitly) a long-lived key Lj; each member u of 
Sj should be able to deduce Lj from its secret information. Given a revoked set 
TZ, the remaining users J\f\TZ are partitioned into disjoint subsets S'i^, . . . , Si^ 
so that Af \TZ = UjLi ^ session key K is encrypted m times with 

5 ■ ■ ■ 5 ■ 

Specifically, an algorithm in the framework uses two encryption schemes: 

— A method Fk ■ {0, 1}* >->■ {0, 1}* to encrypt the message itself. The key K 
used will be chosen fresh for each message M - a session key - as a random 
bit string. Fk should be a fast method and should not expand the plaintext. 
The simplest implementation is to Xor the message M with a stream cipher 
generated by K. 

— A method to deliver the session key to the receivers, for which we will em- 
ploy an encryption scheme. The keys L here are long-lived. The simplest 
implementation is to make El '. {0, 1}^ i— >■ {0, 1}^ a block cipher. 

A discussion of the security requirements of these primitives is given in Sect. 12., 'll 
Suggestions for the implementation of Fk and El are outlined in Sect. I, 4., 'll and 
given in m- The algorithm consists of three components: 

Scheme Initiation: Every receiver u is assigned private information For all 
1 < i < w such that u € Si, lu allows u to deduce the key Li corresponding to the 
set Si. Note that the keys Li can be chosen either (i) uniformly at random and 
independently from each other (which we call the information-theoretic case) or 
(ii) as a function of other (secret) information (which we call the computational 
case), and thus may not be independent of each other. 

The Broadcast algorithm at the Center: The center chooses a session encryp- 
tion key K. Given a set TZ of revoked receivers, it finds a partition 5^,^, . . . , Si^ 
covering all users in Af\TZ. Let Li^ , ■ . ■ , Li^ be the keys associated with the above 
subsets. The center encrypts K with keys . . . , Li^ and sends the ciphertext 



([A, i2, . . . , im, El,^ {K),El,^ (K), ..., El,^ {K)],Fk{M)) 
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The portion in square brackets preceding Fk{M) is called the /leader and Fk{M) 
is called the body. 

The Decryption step at the receiver u, upon receiving a broadcast message 
{[ii,i 2 , ■ ■ ■ ,im,Ci,C 2 j ■ ■ ■ j Cm], M')\ the receiver finds ij such that u G Si. (in 
case u G TZ the result is null). It then extracts the corresponding key Li^ from 
computes Di,^ {Cj)) to obtain K and computes Dk(M') to obtain and output 

M. 

A particular implementation of such scheme is specified by (1) the collection 
of subsets Si,...,Sw (2) the key assignment to each subset in the collection 
(3) a method to cover the non-revoked receivers Af \ 7^ by disjoint subsets from 
this collection, and (4) A method that allows each user u to find its cover S 
and compute its key Ls from The algorithm is evaluated based upon three 
parameters: 

1. Message Length - the length of the header that is attached to Fk{M), which 
is proportional to m, the number of sets in the partition covering Af \ TZ. 

2. Storage size at the receiver - how much private information (typically, keys) 
does a receiver need to store. For instance, /„ could simply consists of all 
the keys Si such that u G Si, or if the key assignment is more sophisticated 
it should allow the computation of all such keys. 

3. Message processing time at receiver. We often distinguish between decryp- 
tion and other types of operations. 

It is important to characterize the dependence of the above three parameters 
in both N and r. Specifically, we say that a revocation scheme is flexible with 
respect to r if the storage at the receiver is not a function of r. Note that the 
efficiency of setting up the scheme and computing the partition (given H) is 
not taken into account in the algorithm’s analysis. However, for all schemes 
presented in this paper the computational requirements of the sender are rather 
modest: finding the partition takes time linear in \'R\ log Af and the encryption 
is proportional to the number of subsets in the partition. In this framework we 
demonstrate the substantial gain that can be achieved by using a computational 
key-assignment scheme as opposed to an information-theoretic one 0 . 



2.3 Security of the Framework 

The definition of the Subset-Cover framework allows a rigorous treatment of the 
security of any algorithm in this family. Unfortunately, due to lack of space, this 
discussion must be omitted and is included in the full version of the paper izq. 
A summary of this analysis follows. 

Our contribution is twofold. We first define the notion of revocation-scheme 
security, namely specify the adversary’s power in this scenario and what is con- 
sidered a successful break. This roughly corresponds to an adversary that may 
pool the secret information of several users and may have some influence on the 

Note that since the assumptions on the security of the encryption primitives are 
computational, a computational key-assignment method is a natural. 
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choice of messages encrypted in this scheme (chosen plaintext) . Also it may cre- 
ate bogus messages and see how legitimate users (that will not be revoked) react. 
Finally, to say that the adversary has broken the scheme means that when the 
users who have provided it their secret information are all revoked (otherwise 
it is not possible to protect the plaintext) the adversary can still learn some- 
thing about the encrypted message. Here we define “learn” as distinguishing its 
encryption from random (this is equivalent to semantic security). 

Second, we state the security assumptions on the primitives used in the 
scheme (these include the encryptions primitives El and Fk and the key as- 
signment method in the subset-cover algorithm.) We identify a critical property 
that is required from the key-assignment method: a subset-cover algorithm sat- 
isfies the ” key-indistinguishability” property if for every subset Si its key Li is 
indistinguishable from a random key given all the information of all users that 
are not in Si. Note that any scheme in which the keys to all subsets are chosen 
independently (trivially) satisfies this property. To obtain our security theorem, 
we require two different sets of properties from El and Fx, since Ex uses short 
lived keys whereas El uses long-lived ones. Specifically, El is required to be se- 
mantically secure against chosen ciphertext attacks in the pre-processing mode, 
and Fx to be chosen-plaintext, one-message semantically secure (see |2H for 
details). We then proceed to show that if the subset-cover algorithm satisfies 
the key-indistinguishability property and if El and Fx satisfy their security 
requirements, then the revocation scheme is secure under the above definition. 

Theorem 1. Let A be a Subset-Cover revocation algorithm where (i) the key 
assignment satisfies the key-indistinguishability property (ii) El is semantically 
secure against chosen ciphertext attacks in the pre-processing mode, and (Hi) 
Fx is chosen-plaintext, one-message semantically secure. Then A satisfies the 
notion of revocation scheme security defined above. 

3 Two Subset-Cover Revocation Algorithms 

We describe two schemes in the Subset-Cover framework with a different per- 
formance tradeoff, as summarized in table |^. Each is defined over a different 
collection of subsets. Both schemes are r-flexible, namely they work with any 
number of revocations. In the first scheme, the key assignment is information- 
theoretic whereas in the other scheme the key assignment is computational. 
While the first method is relatively simple, the second method is more involved, 
and exhibits a substantial improvement over previous methods. 

In both schemes the subsets and the partitions are obtained by imagining the 
receivers as the leaves in a rooted full binary tree with N leaves (assume that N 
is a power of 2). Such a tree contains 2N — 1 nodes (leaves plus internal nodes) 
and for any 1 < i < 2N — 1 we assume that Vi is a node in the tree. We denote 

® Recently a method exhibiting various tradeoffs between the measures (bandwidth, 
storage and processing time) was proposed |22|. In particular it is possible to reduce 
the device storage down to log^n/logH by increasing processing time to Dlogn. 
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by ST{TZ) the (directed) Steiner Tree induced by the set TZ of vertices and the 
root, i.e. the minimal subtree of the full binary tree that connects all the leaves 
in TZ {ST{TZ) is unique). The systems differ in the collections of subsets they 
consider. 



3.1 The Complete Subtree Method 

The collection of subsets Si,. .. ,Sw in our first scheme corresponds to all com- 
plete subtrees in the full binary tree with N leaves. For any node Vi in the full 
binary tree (either an internal node or a leaf, 2N — 1 altogether) let the subset 
Si be the collection of receivers u that correspond to the leaves of the subtree 
rooted at node Uj. The key assignment method simply assigns an independent 
and random key Li to every node Vi in the complete tree. Provide every receiver 
u with the log -|- 1 keys associated with the nodes along the path from the 
root to leaf u. 

For a given set TZ of revoked receivers, let S'q , . . . , Si^ be all the subtrees 
of the original tree whose roots are adjacent to nodes of outdegree 1 in ST{TZ), 
but they are not in ST{TZ). It follows immediately that this collection covers all 
nodes in Af\TZ and only them. The cover size is at most rlog{N/r). This is also 
the average number of subsets in the cover. 

At decryption, given a message {[ii, . . . ,i^, ELi^{K), . . . , El,^{K)], Fk 
(M)]) a receiver u needs to find whether any of its ancestors is among ii,i 2 , ■ ■ ■ im\ 
note that there can be only one such ancestor, so u may belong to at most one 
subset. This lookup can be facilitated efficiently by using hash-table lookups 
with perfect hash functions. 

The key assignment in this method is information theoretic, that is keys 
are assigned randomly and independently. Hence the “key-indistinguishability” 
property of this method follows from the fact that no rt G 7^ is contained in any 
of the subsets ii,i 2 ,. . . im- 

Theorem 2. The Complete Subtree Revocation method requires (i) message 
length of at most rlog— keys (ii) to store logN keys at a receiver and (Hi) 
OfioglogN) operations plus a single decryption operation to decrypt a message. 
Moreover, the method is secure in the sense of the definition outlined in 1^. T 

Comparison to the Logical Key Hierarchy (LKH) approach: Readers familiar 
with the LKH method of pn may find it instructive to compare it to the 
Complete Subtree Scheme. The main similarity lies in the key assignment - an 
independent label is assigned to each node in the binary tree. However, these 
labels are used quite differently - in the multicast re-keying LKH scheme some of 
these labels change at every revocation. In the Complete Subtree method labels 
are static; what changes is a single session key. 

Consider an extension of the LKH scheme which we call the clumped re- 
keying method: here, r revocations are performed at a time. For a batch of r 
revocations, no label is changed more than once, i.e. only the “latest” value is 
transmitted and used. In this variant the number of encryptions is roughly the 
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same as in the Complete Subtree method, but it requires log N decryptions at 
the user, (as opposed to a single decryption in our framework). An additional 
advantage of the Complete Subtree method is the separation of the labels and 
the session key which has a consequence on the message length; see discussion 
about Prefix-Truncation in m 



3.2 The Subset Difference Method 

The main disadvantage of the Complete Subtree method is that Af\TZ may be 
partitioned into a number of subsets that is too large. The goal is now to reduce 
the partition size. We show an improved method that partitions the non-revoked 
receivers into at most 2r — 1 subsets (or 1.25r on average), thus getting rid of a 
log N factor and effectively reducing the message length accordingly. In return, 
the number of keys stored by each receiver increases by a factor of ^ • log N. 
The key characteristic of the Subset-Difference method, which essentially leads 
to the reduction in message length, is that in this method any user belongs to 
substantially more subsets than in the first method (0{N) instead of logiV). 
The challenge is then to devise an efficient procedure to succinctly encode this 
large set of keys at the user, which is achieved by using a computational key 
assignment. 



The subset description. As in the previous method, the receivers are viewed 
as leaves in a complete binary tree. The collection of subsets Si, . . . , defined 
by this algorithm corresponds to subsets of the form “a group of receivers Gi 
minus another group G 2 ”, where G 2 C Gi. The two groups Gi,G 2 correspond 
to leaves in two full binary subtrees. Therefore a valid subset S is represented 
by two nodes in the tree (vi,Vj) such that Vi is an ancestor of Vj. We denote 
such subset as Sij. A leaf u is in Sij iff it is in the subtree rooted at Vi but not 
in the subtree rooted at Vj, or in other words u € Stj iff Vi is an ancestor of 
u but Vj is not. Figure El depicts Sij. Note that all subsets from the Complete 
Subtree Method are also subsets of the Subset Difference Method; specifically, 
a subtree appears here as the difference between its parent and its sibling. The 
only exception is the full tree itself, and we will add a special subset for that. 
We postpone the description of the key assignment till later; for the time being 
assume that each subset Sij has an associated key Lij. 



The Cover. For a set TZ of revoked receivers, the following Cover algorithm finds 
a collection of disjoint subsets . . . , which partitions J\f \TZ. 

The method builds the subsets collection iteratively, maintaining a tree T which 
is a subtree of ST(JV) with the property that any u G Af \ TZ that is below a 
leaf of T has been covered. We start by making T be equal to ST {TV) and then 
iteratively remove nodes from T (while adding subsets to the collection) until T 
consists of just a single node: 

1. Find two leaves Vi and vj in T such that the least-common-ancestor v of Vi 
and Vj does not contain any other leaf of T in its subtree. Let vi and Vk be 
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Fig. 2. The Subset Difference method: subset Sij contains all marked leaves (non- 
black). 



the two children of v such that Vi a descendant of vi and Vj a descendant of 
Vk- (If there is only one leaf left, make Vi = Vj to the leaf, v to be the root 
of T and vi = Vk = v.) 

2. If vi ^ Vi then add the subset Si^i to the collection; likewise, if Vk ^ Vj add 
the subset Skj to the collection. 

3. Remove from T all the descendants of v and make it a leaf. 

An alternative description of the cover algorithm is as follows: consider max- 
imal chains of nodes with outdegree 1 in ST(TZ). More precisely, each such chain 
is of the form ,Vi^, ■ ■ - Vif.] where (i) all of Vi ^ , , . . . Vi^_^ have outdegree 1 in 

ST{TZ) (ii) Vi^ is either a leaf or a node with outdegree 2 and (iii) the parent of 
Vi^ is either a node of outdegree 2 or the root. For each such chain where £> 2 
add a subsets to the cover. Note that all nodes of outdegree 1 in ST{TZ) 
are members of precisely one such chain. 

We state, without a proof, that a cover can contain at most 2r — 1 subsets 
for any set of r revocations. Moreover, if the set of revoked leaves is random, 
then average-case analysis bounds the cover size by 1.38r, whereas simulation 
experiments tighten the bound to 1.25r. 

The next lemma is concerned with covering more general sets than those 
obtained by removing users. Rather it assumes that we are removing a collection 
of subsets from the Subset Difference collection. It is applied later in Section 

Lemma 1. Let S = Si^, . . . Si^ be a collection of m disjoint subsets 
from the underlying collection defined by the Subset Difference method, and 
U = Then the leaves in M \U can be covered by at most 3m — 1 

subsets from the underlying Subset Difference collection. 



Key assignment to the subsets. We now define what information each re- 
ceiver must store. If we try and repeat the information-theoretic approach of 
the previous scheme where each receiver needs to store explicitly the keys of all 
the subsets it belongs to, the storage requirements would expand tremendously: 
consider a receiver u; for each complete subtree Tk it belongs to, u must store 
a number of keys proportional to the number of nodes in the subtree Tk that 
are not on the path from the root of Tk to u. There are log N such trees, one 
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for each height 1 < A: < logiV, yielding a total of ~ which is 0{N) 

keys. We therefore devise a key assignment method that requires a receiver to 
store only O(logfV) keys per subtree, for the total of 0(log^ N) keys. 

While the total number of subsets to which a user u belongs is 0{N), these 
can be grouped into log N clusters defined by the first subset i (from which 
another subsets is subtracted). The way we proceed with the keys assignment 
is to choose for each 1 < z < TV — 1 corresponding to an internal node in the 
full binary tree a random and independent value LABELi. This value should 
induce the keys for all legitimate subsets of the form Si^j. The idea is to employ 
the method used by Goldreich, Goldwasser and Micali HH to construct pseudo- 
random functions, which was also used by Fiat and Naor for purposes similar 
to ours. 

Let G be a (cryptographic) pseudo-random sequence generator (see definition 
below) that triples the input, i.e. whose output length is three times the length 
of the input; let Gl{S) denote the left third of the output of G on seed S, Gh{S) 
the right third and Gm{S) the middle third. We say that G : {0, 1}” >->■ {0, 1}^” 
is a pseudo-random sequence generator if no polynomial-time adversary can 
distinguish the output of G on a randomly chosen seed from a truly random string 
of similar length. Let £4 denote the bound on the distinguishing probability. 

Gonsider now the subtree Ti (rooted at Vi). We will use the following top- 
down labeling process: the root is assigned a label LABEL^. Given that a parent 
was labeled S', its two children are labeled Gl{S) and Gh{S) respectively. Let 
LABELi j be the label of node Vj derived in the subtree Ti from LABEL^. Fol- 
lowing such a labeling, the key Lij assigned to set Sij is Gm of LABELS j. Note 
that each label induces three parts: Gl - the label for the left child, Gr - the 
label for the right child, and Gm the key at the node. The process of generating 
labels and keys for a particular subtree is depicted in Fig. 01 For such a labeling 
process, given the label of a node it is possible to compute the labels (and keys) 
of all its descendants. On the other hand, without receiving the label of an an- 
cestor of a node, its label is pseudo-random and for a node j, given the labels 
of all its descendants (but not including itself) the key Lij is pseudo-random 
(LABELi^j, the label of Vj, is not pseudo-random given this information simply 
because one can check for consistency of the labels) . It is important to note that 
given LABELi, computing Lij requires at most log A^ invocations of G. 

We now describe the information /„ that each receiver u gets in order to 
derive the key assignment described above. For each subtree Ti such that u is a 
leaf of Ti the receiver u should be able to compute Li j iff j is not an ancestor 
of u. Gonsider the path from vt to u and let Vi-^^ ,Vi^, . . . vt^. be the nodes just 
“hanging off’ the path, i.e. they are adjacent to the path but not ancestors of 
u (see Fig. |3). Each j in Ti that is not an ancestor of w is a descendant of one 
of these nodes. Therefore if u receives the labels of Vi^^Vi^, ■ ■ - Vii, as part of 
then invoking G at most log N times suffices to compute Lij for any j that is 
not an ancestor of u. 

As for the total number of keys (in fact, labels) stored by receiver u, each 
tree Ti of depth k that contains u contributes fc — 1 keys (plus one key for 
the case where there are no revocations), so the total is 1 -1- k — 1 = 

1 -k = 1 log2 ^ + 1 log ^ 



Revocation and Tracing Schemes for Stateless Receivers 



53 



G. 



G_L 

L(G_L(G_L{S 



LABELij = G_R(G_L(G_L(LABELi ))) 
Lij=G_M (LABELij) 



O ■■■ O * ... • 0---0 




Q 



Vi: 




U 



Fig. 3. Key assignment in the Subset Difference method. Left: generation of LABELj^j 
and the key Lij. Right: leaf u receives the labels of Vij , . . . Vi^ that are induced by the 
label LABELi of Vi. 

At decryption time, a receiver u first finds the subset Sij such that u € Sij, 
and computes the key corresponding to Li j. Using the techniques described 
in the complete subtree method for table lookup structure, this subset can be 
found in O(loglogiV). The evaluation of the subset key takes now at most log TV 
applications of a pseudo-random generator. After that, a single decryption is 
needed. 

Security. In order to prove security we have to show that the key indistinguisha- 
bility condition (outlined in Sect. I'/!., 'til holds for this method, namely that each 
key is indistinguishable from a random key for all users not in the corresponding 
subset. 

Observe first that for any u G Af, u never receives keys that correspond 
to subtrees to which it does not belong. Let Si denote the set of leaves in the 
subtree Ti rooted at Vi. For any set S'ij the key Ljj is (information theoretically) 
independent of all for u ^ Si. Therefore we have to consider only the combined 
secret information of all u G Sj. This is specified by at most logiV labels - those 
hanging on the path from Vi to Vj plus the two children of Vj - which are sufficient 
to derive all other labels in the combined secret information. Note that these 
labels are logfV strings that were generated independently by G, namely it is 
never the case that one string is derived from another. Hence, a hybrid argument 
implies that the probability of distinguishing Lij from random can be at most 
£ 4 /logiV, where £4 is the bound on distinguishing outputs of G from random 
strings. 

Theorem 3. The Subset Difference method requires (i) message length of at 
most 2r — 1 keys (ii) to store | log^ | logiV + 1 keys at a receiuer and (Hi) 
O(logiV) operations plus a single decryption operation to decrypt a message. 
Moreover, the method is secure in the sense of definition outlined in m.ttl 
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3.3 Further Discussions (Summary) 

In ’'^6 discuss a number of important issues related to the above schemes, 
their implementation and applications. Below is a short summary of the topics. 

Implementation Issues: A key characteristic of the Subset-Cover frame- 
work is that it clearly separates the long-term keys from the short, one time, 
key. This allows, if so desired, to chose an encryption F that might be weaker 
(uses shorter keys) than the encryption chosen for E and to reduce the message 
length appropriately. We provide a “Prefix- Truncation” specification for E to im- 
plement such a reduction without sacrificing the security of the long-lived keys. 
Let Prefixes' denote the first i bits of a string S. choose W to be a random string 
whose length is the length of the block of El and let K he a relatively short key 
for the cipher Fk (whose length is, say, 56 bits). Then, [Prefix|i^:|i?i(W)] © K 
provides an encryption that satisfies the requirements of E, as described in Sect. 
O The Prefix-Truncated header is therefore: 

([ ii, . . . , [Prefixi^i (U)] © iL, . . . , [Prefix|^| (U)] © K ],Ek{M)) 

Note that the length of the header is reduced to about m x \K\ bits long (say 
56m) instead of m x \L\. 

Hierarchical Revocation: We point out that the schemes are well suited 
to efficiently support hierarchical revocations of large groups of clustered-users; 
this is useful, for instance, to revoke all devices of a certain manufacturer. 

Public Key methods: A revocation scheme that is used in a public key 
mode is appropriate in scenarios where the the party that generated the cipher- 
text is not necessarily trustworthy. This calls for implementing E with a public- 
key cryptosystem; however, a number of difficulties arise such as the public-key 
generation process, the size of the public key file and the header reduction. As we 
show, using a Difhe-Hellman like scheme solves most of these problems (except 
the public key file size). 

An interesting point is that prefix truncation is still applicable and we get 
that the length of public-key encryption is hardly longer than the private-key 
case. This can be done as follows: Let G be a group with a generator g, 
be the public key of subset Si^ and yi^ the secret key. Choose h as a pairwise- 
independent function h \ G ^ {0, thus elements which are uniformly 

distributed over G are mapped to uniformly distributed strings of the desired 
length. The encryption E is done by picking a new element x from G, publicizing 
g^ , and encrypting K as (AT) = h{g^^'^) © K. That is, the header now 
becomes 

([ Zi, »2, . . . , im,g\ h, h{g-y ^^ ) © K, . . . , h{g^y^^ ) © K ],Fk{M)) 

In terms of the broadcast length such system hardly increases the number of 
bits in the header as compared with a shared-key system - the only difference is 
g^ and the description of h. Therefore this difference is fixed and does not grow 
with the number of revocations. Note however that the scheme as defined above 
is not immune to chosen-ciphertext attacks, but only to chosen plaintext ones. 
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Coming up with public-key schemes where prefix-truncation is possible that are 
immune to chosen ciphertext attacks of either kind is an interesting challengc0. 



Copy Protection and CPRM. Copy protection is a natural application for 
trace-and-revoke schemes, and the stateless scenario is especially appropriate 
when content is distributed on pre-recorded media. CPRM/CPPM (Content 
Protection for Recordable Media and Pre-Recorded Media) is a technology de- 
veloped and licensed by the “4C” group - IBM, Intel, MEI (Panasonic) and 
Toshiba m- It defines a method for protecting content on physical media such 
as recordable DVD, DVD Audio, Secure Digital Memory Card and Secure Com- 
pactFlash. A licensing Entity (the Center) provides a unique set of secret device 
keys to be included in each device at manufacturing time. The licensing Entity 
also provides a Media Key Block (MKB) to be placed on each compliant media 
(for example, on the DVD). The MKB is essentially the header of the ciphertext 
which encrypts the session key. It is assumed that this header resides on a write- 
once area on the media, e.g. a Pre-embossed lead-in area on the recordable DVD. 
When the compliant media is placed in a player/recorder device, it computes 
the session key from the header (MKB) using its secret keys; the content is then 
encrypted/decrypted using this session key. 

The algorithm employed by CPRM is essentially a Subset-Cover scheme. 
Consider a table with A rows and C columns. Every device (receiver) is viewed 
as a collection of C entries from the table, exactly one from each column, that is 
u = [ui, . . . , uc] where iti G {0, 1, . . . , A—1}. The collection of subsets Si,. . . ,S,u 
defined by this algorithm correspond to subsets of receivers that share the same 
entry at a given column, namely Sr^i contains all receivers u = [ui, . . . , uq] such 
that Ui = r. For every 0 < i < A — 1 and 1 < j < C the scheme associates 
a key denoted by Lij. The private information that is provided to a device 
u = [ui, .. .,uc] consists of C keys Tui,i,T« 2 , 2 > • • ■,Luc,C- 

For a given set TZ of revoked devices, the method partitions Af\TZ as follows: 
Sij is in the cover iff Sijf^TZ = 0. While this partition guarantees that a 
revoked device is never covered, there is a low probability that a non-revoked 
device u ^ TZ will not be covered as well and therefore become non-functionafl. 

The CPRM method is a Subset-Cover method with two exceptions: (1) the 
subsets in a cover are not necessarily disjoint and (2) the cover is not always 
perfect as a non-revoked device may be uncovered. Note that the CPRM method 
is not r-fiexible: the probability that a non-revoked device is uncovered grows 
with r, hence in order to keep it small enough the number of revocations must 
be bounded by A. 

For the sake of comparing the performance of CPRM with the two methods 
suggested in this paper, assume that C = log N and A = r. Then, the message 
is composed of r log N encryptions, the storage at the receiver consists of log N 
keys and the computation at the receiver requires a single decryption. These 

® Both the scheme of Cramer and Shoup 0 and the random oracle based scheme M 
require some specific information for each recipient; a possible approach with random 
oracles is to follow the lines of mi- 
^ This is similar to the scenario considered in m 
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bounds are similar to the Complete Subtree method; however, unlike CPRM, 
the Complete Subtree method is r-flexible and achieves perfect coverage. The 
advantage of the Subset Difference Method is much more substantial: in addition 
to the above, the message consists of 1.25r encryptions on average, or of at most 
2r — 1 encryptions, rather than r log N . 

For example, in DVD Audio, the amount of storage that is dedicated for 
its MKB (the header) is 3 MB. This constrains the maximum allowed message 
length. Under a certain choice of parameters, such as the total number of man- 
ufactured devices and the number of distinct manufacturers, with the current 
CPRM algorithm the system can revoke up to about 10,000 devices. In contrast, 
for the same set of parameters and the same SMB constraint, a Subset-Difference 
algorithm achieves up to 250,000 (!) revocations, a factor of 25 improvement over 
the currently used method. This major improvement is partly due to fact that 
hierarchical revocation can be done very effectively, a property that the current 
CPRM algorithm does not have. 

Applications to Multicast. The difference between key management for the 
scenario considered in this paper and for the Logical Key Hierarchy for multicast 
is that in the latter the users (i.e. receivers) may update their keys I30I29I . 
This update is referred to as a re-keying event and it requires all users to be 
connected during this event and change their internal state (keys) accordingly. 
However, even in the multicast scenario it is not reasonable to assume that all the 
users receive all the messages and perform the required update. Therefore some 
mechanism that allows individual update must be in place. Taking the stateless 
approach gets rid of the need for such a mechanism: simply add a header to 
each message denoting who are the legitimate recipients by revoking those who 
should not receive it. In case the number of revocations is not too large this may 
yield a more manageable solution. This is especially relevant when there is a 
single source for the sending messages or when public-keys are used. 

Backward secrecy: Note that revocation in itself lacks backward secrecy in the 
following sense: a constantly listening user that has been revoked from the system 
records all future transmission (which it can’t decrypt anymore) and keeps all 
ciphertexts. At a later point it gains a valid new key (by re-registering) which 
allows decryption of all past communication. Hence, a newly acquired user-key 
can be used to decrypt all past session keys and ciphertexts. The way that 
propose to achieve backward secrecy is to perform re-keying when new users are 
added to the group (such a re-keying may be reduced to only one way chaining, 
known as LKH-f), thus making such operations non-trivial. We point out that 
in the subset-cover framework and especially in the two methods we proposed 
it may be easier: At any given point of the system include in the set of revoked 
receivers all identities that have not been assigned yet. As a result, a newly 
assigned user-key cannot help in decrypting an earlier ciphertext. Note that this 
is feasible since we assume that new users are assigned keys in a consecutive order 
of the leaves in the tree, so unassigned keys are consecutive leaves in the complete 
tree and can be covered by at most log A sets (of either type, the Complete- 
Subtree method or the Subtree-Difference method) . Hence, the unassigned leaves 
can be treated with the hierarchical revocation technique, resulting in adding at 
most log N revocations to the message. 
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4 Tracing Traitors 

It is highly desirable that a revocation mechanism could work in tandem with a 
tracing mechanism to yield a trace and revoke scheme. We show a tracing method 
that works for many schemes in the subset-cover framework. The method is quite 
efficient. The goal of a tracing algorithm is to find the identities of those that 
contributed their keys to an illicit decryption box@ and revoke them; short of 
identifying them we should render the box useless by finding a “pattern” that 
does not allow decryption using the box, but still allows broadcasting to the 
legitimate users. Note that this is a slight relaxation of the requirement of a 
tracing mechanism, say in [ 23 | (which requires an identification of the traitor’s 
identity) and in particular it lacks self enforcement El . However as a mechanism 
that works in conjunction with the revocation scheme it is a powerful tool to 
combat piracy. 



The model. Suppose that we have found an illegal decryption-box (decoder, 
or clone) which contains the keys associated with at most t receivers ui, . . . ,Ut 
known as the “traitors” . 

We are interested in “black-box” tracing, i.e. one that does not take the 
decoder apart but by providing it with an encrypted message and observing its 
output (the decrypted message) tries to figure out who leaked the keys. A pirate 
decoder is of interest if it correctly decodes with probability p which is at least 
some threshold q, say q > 0.5. We assume that the box has a “reset button”, i.e. 
that its internal state may be retrieved to some initial configuration. In particular 
this excludes a “locking” strategy on the part of the decoder which says that in 
case it detects that it is under test, it should refuse to decode further. Clearly 
software-based systems can be simulated and therefore have the reset property. 

The result of a tracing algorithm is either a subset consisting of traitors or 
a partition into subsets that renders the box useless i.e. given an encryption 
with the given partition it decrypts with probability smaller than the threshold 
q while all good users can still decrypt. 

In particular, a “subsets based” tracing algorithm devises a sequence of 
queries which, given a black-box that decodes with probability above the thresh- 
old q, produces the results mentioned above. It is based on constructing useful 
sets of revoked devices TZ which will ultimately allow the detection of the re- 
ceiver’s identity or the configuration that makes the decoder useless. A tracing 
algorithm is evaluated based on (i) the level of performance downgrade it imposes 
on the revocation scheme (ii) number of queries needed. 



4.1 The Tracing Algorithm 

Subset tracing: An important procedure in our tracing mechanism is one that 
given a partition S — St-^, Si^, . . . Si^ and an illegal box outputs one of two 
possible outputs: either (1) that the box cannot decrypt with probability greater 
than the threshold when the encryption is done with partition S or (ii) Finds 

Our algorithm also works for more than one box. 
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a subset Si^ such that Si^ contains a traitor. Such a procedure is called subset 
tracing and is described below. 

Bifurcation property: Given a subset-tracing procedure, we describe a tracing 
strategy that works for many Subset-Cover revocation schemes. The property 
that the revocation algorithm should satisfy is that for any subset Si,l < i < w, 
it is possible to partition Si into two (or constant) roughly equal sets, i.e. that 
there exists 1 < ii, ^2 < w such that Si = Si^ U Si^ and | is roughly the same 
as IS'ijj. For a Subset Cover scheme, let the bifurcation value be the relative size 
of the largest subset in such a split. 

Both the Complete Subtree and the Subtree Difference methods satisfy this 
requirement: in the case of the Complete Subtree Method each subset, which 
is a complete subtree, can be split into exactly two equal parts, corresponding 
to the left and right subtrees. Therefore the bifurcation value is 1/2. As for the 
Subtree Difference Method, Each subset Sij can be split into two subsets each 
containing between one third and two thirds of the elements. Here, again, this is 
done using the left and right subtrees of node i. See Fig. 01 The only exception is 
when i is a parent of j, in which case the subset is the complete subtree rooted at 
the other child; such subsets can be perfectly split. The worst case of (1/3, 2/3) 
occurs when i is the grandparent of j. Therefore the bifurcation value is 2/3. 







Fig. 4. Bifurcating a Subset Difference set Sij, depicted in the left. The black triangle 
indicates the excluded subtree. L and R are the left and the right children of Vi. The 
resulting sets Slj and Si^L are depicted to the right. 




The Tracing Algorithm: We now describe the general tracing algorithm, assum- 
ing that we have a good subset tracing procedure. The algorithm maintains a 
partition Si-^, Si^, . . . Si^. At each phase one of the subsets is partitioned, and 
the goal is to partition a subset only if it contains a traitor. 

Each phase initially applies the subset-tracing procedure with the current 
partition S = Si-^, Si^, . . . St^. If the procedure outputs that the box cannot 
decrypt with S then we are done, in the sense that we have found a way to 
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disable the box without hurting any legitimate user. Otherwise, let Si^ be the 
set output by the procedure, namely Si^ contains the a traitor. 

If Si^ contains only one possible candidate - it must be a traitor and we 
permanently revoke this user; this doesn’t hurt a legitimate user. Otherwise we 
split Si . into two roughly equal subsets and continue with the new partitioning. 
The existence of such a split is assured by the bifurcation property. 

Analysis: Since a partition can occur only in a subset that has a traitor and 
contains more than one element, it follows that the number of iterations can be 
at most tlog^ N , where a is the inverse of the bifurcation value (a more refined 
expression is t(log^ N — log 2 t), the number of edges in a binary tree with t leaves 
and depth log^ N.) 

The Subset Tracing Procedure. The Subset Tracing procedure first tests 
whether the box decodes a message with the partition S = Si^, Si ^ , . . . Si^ with 
sufficient probability greater than the threshold, say > 0.5. If not, then it con- 
cludes (and outputs) that the box cannot decrypt with S. Otherwise, it needs 
to find a subset S', . that contains a traitor. 

Let pj be the probability that the box decodes the ciphertext 

([* 1 ,* 2 , • ■ • (Rk), ■ ■ ■ {RK),ELi.^^ (K), . . . , El.^{K)], Fk(M)) 

where Rk is a random string of the same length as the key K. That is, pj is 
the probability of decoding when the first j subsets are noisy and the remaining 
subsets encrypt the correct key. Note that po = p and Pm = 0, hence there must 
be some 0 < j < m for which \pj-i — Pj\ > It can be shown that if Pj-i is 
different from pj by more than e, where e is an upper bound on the sum of the 
probabilities of breaking the encryption scheme E and key assignment method, 
then the set Si^ must contain a traitor. It also provides a binary-search-like 
method that efficiently finds a pair of values pj,pj-i among po, ■ ■ ■ ,Pm satisfying 
\Pj-i-Pj \ > 

4.2 Improving the Tracing Algorithm 

The basic traitors tracing algorithm described above requires tlog{N/t) itera- 
tions. Furthermore, since at each iteration the number of subsets in the partition 
increases by one, tracing t traitors may result with up to tlog{N/t) subsets and 
hence in messages of length tlog{N/t). This bound holds for any Subset-Cover 
method satisfying the Bifurcation property, and both the Complete Subtree and 
the Subset Difference methods satisfy this property. What is the bound on the 
number of traitors that the algorithm can trace? 

Recall that the message length required by the Complete Subtree method 
is rlog(A/r) for r revocations, hence the tracing algorithm can trace up to r 
traitors if it uses the Complete Subtree method. However, since the message 
length of the Subset Difference method is at most 2r — 1, only traitors 

can be traced if Subset Difference is used. We now describe an improvement on 
the basic tracing algorithm that reduces the number of subsets in the partition 
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to 5t — 1 for the Subset Difference method (although the number of iterations 
remains tlog{N/t)). With this improvement the algorithm can trace up to r/5 
traitors. 

Note that among the tlogN/t subsets generated by the basic tracing algo- 
rithm, only t actually contain a traitor. The idea is to repeatedly merge those 
subsets which are not known to contain a traitor^ Specifically, we maintain at 
each iteration a frontier of at most 2t subsets plus 3t — 1 additional subsets. In 
the following iteration a subset that contains a traitor is further partitioned; as 
a result, a new frontier is defined and the remaining subsets are re-grouped. 

Frontier subsets: Let , Si^ , . . . Si^ be the partition at the current iteration. A 
pair of subsets is said to be in the frontier if and resulted 

from a split-up of a single subset at an earlier iteration. Also neither nor 
Si^^) was singled out by the subset tracing procedure so far. This definition 
implies that the frontier is composed of k disjoint pairs of buddy subsets. Since 
buddy-subsets are disjoint and since each pair originated from a single subset 
that contained a traitor (and therefore has been split) k < t. 

We can now describe the improved tracing algorithm which proceeds in it- 
erations. Every iteration starts with a partition S = 5^^, . . . Si^. Denote by 

F C S the frontier of S. An iteration consists of the following steps, by the end 
of which a new partition S' and a new frontier F' is defined. 

— As before, use the Subset Tracing procedure to find a subset Si^ that contains 
a traitor. If the tracing procedure outputs that the box can not decrypt with 
S then we are done. Otherwise, split Si^ into and Si^^- 

— F' = (S'ij.j and are now in the frontier). Furthermore, if Si^ 

was in the frontier F and Si^. was its buddy-subset in F then F' = F' \ Si^ 
(remove Si^, from the frontier). 

— Compute a cover C for all receivers that are not covered by F' . Define the 
new partition S' as the union of C and F' . 

To see that the process described above converges, observe that at each itera- 
tion the number of new small frontier sets always increases by at least one. More 
precisely, at the end of each iteration construct a vector of length N describing 
how many sets of size i, 1 < i < N, constitute the frontier. It is easy to see that 
these vectors are lexicographically increasing. The process must stop when or 
before all sets in the frontier are singletons. 

By definition, the number of subsets in a frontier can be at most 2t. Further- 
more, they are paired into at most t disjoint buddy subsets. As for non-frontier 
subsets (C), Lemma n shows that covering the remaining elements can be done 
by at most |F| < 3t — 1 subsets (note that we apply the lemma so as to cover 
all elements that are not covered by the buddy subsets, and there are at most 
t of them) . Hence the partition at each iteration is composed of at most 5t — 1 
subsets. 

® This idea is similar to the second scheme of m, Sect. 3.3. However, in m the merge 
is straightforward as their model allows any subset. In our model only members 
from the Subset Difference are allowed, hence a merge which produces subsets of 
this particular type is non-trivial. 
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Abstract. We present a new generic black-box traitor tracing model 
in which the pirate-decoder employs a self-protection technique. This 
mechanism is simple, easy to implement in any (software or hardware) 
device and is a natural way by which a pirate (an adversary) which is 
black-box accessible, may try to evade detection. We present a necessary 
combinatorial condition for black-box traitor tracing of self-protecting 
devices. We constructively prove that any system that fails this condi- 
tion, is incapable of tracing pirate-decoders that contain keys based on 
a superlogarithmic number of traitor keys. We then combine the above 
condition with specihc properties of concrete systems. We show that the 
Boneh-Franklin (BF) scheme as well as the Kurosawa-Desmedt scheme 
have no black-box tracing capability in the self-protecting model when 
the number of traitors is superlogarithmic, unless the ciphertext size is 
as large as in a trivial system, namely linear in the number of users. This 
partially settles in the negative the open problem of Boneh and Franklin 
regarding the general black-box traceability of the BF scheme: at least 
for the case of superlogarithmic traitors. Our negative result does not ap- 
ply to the Chor-Fiat-Naor (CFN) scheme (which, in fact, allows tracing 
in our self-protecting model); this separates CFN black-box traceability 
from that of BF. We also investigate a weaker form of black-box trac- 
ing called single-query “black-box confirmation.” We show that, when 
suspicion is modeled as a confidence weight (which biases the uniform 
distribution of traitors), such single-query confirmation is essentially not 
possible against a self-protecting pirate-decoder that contains keys based 
on a superlogarithmic number of traitor keys. 



1 Introduction 

The problem of Traitor Tracing can be understood best in the context of Pay- 
TV. In such a system there are n subscribers, each one possessing a decryption 
box (decoder). The authority scrambles digital data and broadcasts it to all 
subscribers, who use their decryption boxes to descramble the data. It is possible 
for some of the users to collude and produce a pirate decoder: a device not 
registered with the authority that can decrypt the scrambled digital content. 
The goal of Traitor Tracing is to provide a method so that the authority, given 
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a pirate decoder, is able to recover the identity of some of the legitimate users 
that participated in the construction of the decoder (traitors) . In such a system 
piracy would be reduced due to the fear of exposure. 

A standard assumption is that each user’s decoder is “open” (to the user) 
so that the decryption key is recoverable. A set of users can combine their keys 
in order to construct a pirate decoder. It is immediately clear that each user 
should have a distinct private key, otherwise distinguishing traitors from non- 
traitors would be impossible. Given the contents of a pirate decoder the authority 
should be able to recover one of the traitors’ keys. A scheme that allows this, 
is called a Traitor Tracing Scheme (TTS). A standard measure of the efficiency 
of a TTS is the size of the ciphertexts. Constructing a TTS with linear (in the 
number of users) ciphertexts is trivial; as a result the focus is on how to achieve 
traitor tracing when the ciphertext size is sublinear in the number of users. An 
additional requirement for TTSs is black-box traitor tracing, namely, a system 
where tracing is done using only black-box access to the pirate decoder (namely, 
only an input/ output access is allowed). To keep tracing cheap, it is extremely 
desirable that the tracing algorithm is black-box. 



Previous Work 

Let us first review the work of the various notions of traitor tracing. Traitor Trac- 
ing was introduced in |GT1NH4IGT1NL’()0| . with the presentation of a generic TTS. 
Explicit constructions based on combinatorial designs were given in [SW98b| . 
A useful variation of the [( )Kl\]t)4j scheme was presented in [INI Public key 
Traitor Tracing Schemes based on ElGamal encryption were presented in jK I Jt)8l 
EEHS!. In most settings (here also) it is assumed that the tracing authority is 
trusted (i.e. the authority does not need to obtain a proof that a certain user is 
a traitor); the case where the authority is not trusted was considered in 
IPS9BIPW97| . An online approach to tracing, targeting pirate re-broadcasting 
(called dynamic traitor tracing) was presented in jPT99| . A method of dis- 
couraging users from sharing their decryption keys with other parties, called 
self-enforcement, was introduced in PLN96| . A traitor tracing scheme along 
the lines of [Kn98IPE99| combining self-enforcement and revocation capabilities 
was presented in [NPflO] . Further combinatorial constructions of traitor tracing 
schemes in combination with revocation methods were discussed in 

Previous work on black-box traitor tracing is as follows: a black-box traitor 
tracing scheme successful against any resettabl^ pirate decoder was presented in 
[KlFN94IGFNP00j . In pF99j . a black-box traitor tracing scheme was presented 
against a restricted model called “single-key pirates”: the pirate-decoder uses 
a single key for decryption without any other side computation (note that this 
single key could have been a combination of many traitors’ keys). In the same 
paper, a weaker form of black-box traitor tracing was presented: “black-box con- 
firmation.” In this setting the tracer has a set of suspects and it wants to confirm 
that the traitors that constructed the pirate decoder are indeed included in the 
set of suspects. The work in presented a single-query black-box confir- 



^ A pirate decoder is called resettable if the tracer has a means of resetting the device 
to its initial state for each trial. 
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mation method: using a single query to the pirate decoder the tracer solves the 
problem; multiple queries may be used to increase confidence. Black-box confir- 
mation can be used for general tracing by trying all possible subsets. However 
the resulting traitor tracing algorithm needs exponential time (unless the num- 
ber of traitors is a constant). In |Ph96| . a piracy prevention behavior was noted, 
dealing with the possibility of pirate decoders shutting down whenever an invalid 
ciphertext (used for tracing, perhaps) is detected. In fBh'OH a combination of 
black-box confirmation and tracing appeared: extending the methods of pTFMj 
it was shown how one can trace within the suspect set (which is assumed to 
include all traitors) and recover one of the traitors. In addition, a new mode of 
black box tracing was considered in [HFnri called minimal access black box trac- 
ing: for any query to the pirate decoder, the tracer does not obtain the plaintext 
but merely whether the pirate-decoder can decrypt the ciphertext and “play” it 
or not (e.g. the case of a pirate cable-box incorporating a TV-set). 

Our Results 

The Model: Our perspective on black-box traitor tracing is as follows: under 
normal operation all users decrypt the same message; we say that in this case 
all users are colored in the same way. As we will see, in order to trace a pirate 
decoder in a black-box manner we have to disrupt this uniformity: color the 
users using more than one color. A ciphertext that induces such a coloring over 
the user population, will be called an “invalid” ciphertext. Tracing algorithms 
will have to probe with invalid ciphertexts (we assume our tracing methods 
to be aware of this fact). We consider a simple self-protection mechanism that 
can be used by any pirate decoder in order to detect tracing: before decrypting, 
the pirate decoder computes the projection of the induced coloring onto the set 
of traitor keys (for some systems the stored keys can actually be combinations 
of traitor keys). If the traitor keys are colored by two colors or more, then the 
decoder knows that it is probed by the tracer, and can take actions to protect 
itself. Computing the projection of the coloring onto the traitor keys is typically 
not a time-consuming operation and can be implemented within any software 
or hardware pirate decoder: prior to giving output the pirate decoder decrypts 
the given input with all available traitor keys (or combinations thereof) that are 
stored in its code. Since the decoder is black-box accessible, the presence of the 
keys internally, does not reduce its evasion power. 

Necessary Combinatorial Condition and Negative Results: By 
adding the above simple self-protecting mechanism to the capabilities of pirate 
decoders together with an appropriate reaction mechanism we present a condi- 
tion that has to be satisfied by any TTS in order to be able to black-box trace 
a pirate decoder that contains o;(logn) traitor keys. Namely, the condition that 
most users should be colored in the same way. If this is not the case, we present 
a strategy that can be followed by a pirate decoder of any type (involving the 
previously stated self-protection mechanism) that defeats any black-box tracing 
method with high probability, assuming randomly chosen traitors. 

Necessary Condition and Negative Results for Confirmation: The 
assumption above which underlies our negative result is that the choice of keys 
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available to the pirate is randomly distributed over the keys of the user popula- 
tion, i.e. the tracer has no a-priori idea about the identities of the traitors. In the 
context of black-box confirmation the situation is different because it is assumed 
that the tracer has a set of suspects, that are traitors with higher probability 
compared to a user chosen at random. We formalize this setting (differently 
from EEHII) by assigning a “confidence level” function to the set of suspects 
that measures the amplification of the probability that a user is a traitor given 
that he belongs to the suspect set. Using this formalization we show that single- 
query black-box confirmation fails against any pirate-decoder, provided that the 
decoder contains a superlogarithmic number of traitor keys, and the confidence 
level of the tracer is below a certain (explicitely defined) threshold. We note that 
the confidence level exhibits a trade-off with the size of the suspect set, i.e. for 
small suspect sets, the confidence of the tracer should be very high in order to be 
successful in black-box confirmation. An immediate corollary of our result is that 
single-query black-box confirmation can be successful against decoders including 
a superlogarithmic number of traitor keys only in the case that the confidence 
level of the tracer is so high that the probability that a user is a suspect given 
that it is a traitor is arbitrarily close to 1. Note that in this case, confirmation 
becomes quite localized (the tracer knows already that the suspect set contains 
all traitors with very high probability; this type of confirmation is covered in 

EEnH). 



Applying the Results to Concrete Systems: We continue by combin- 
ing our negative results with specific properties of concrete schemes which we 
analyze. First, we consider the Boneh-Franklin scheme which possesses 

many attractive properties (based on public key, small ciphertext size, determin- 
istic tracing) . We show that the scheme is incapable of black-box traitor tracing 
when there are tu(logn) traitors in the self-protecting model, unless the scheme 
becomes trivial (i.e. with ciphertexts of size linear in the number of users). This 
partially (for the w(logn) traitor case) settles in the negative the open problem 
from who asked whether IHTOI traceability can be extended to the gen- 

eral black-box traitor tracing model of KT'Ny4IUk'lNFnr]l (i.e. black-box tracing 
of any resettable pirate decoder). Note that this is not an inconsistency with the 
black-box traitor tracing methods of |HFhh) . since they apply tracing against pi- 
rate decoders of an explicit construction or against a constant number of traitors. 
Similar negative results hold for the scheme of lEUnBI. We note that our nega- 
tive results do not apply to the black-box tracing methods of j( lFN94ICFNP00j 
since their scheme is proved to work against any resettable pirate-decoder by 
(obviously not coincidentally) using colorings that satisfy the condition we show 
to be necessary (most users are colored in the same way). Thus, our work can 
be seen as retrofitting a design criterion for the early work of !CFN94j and it 
provides a separation with respect to black-box traceability between j( T' N 941 
irPNPlkll and Additionally, we show that black-box confirmation 

fails for both against a superlogarithmic number of traitors unless 

the confidence level of the tracer is extremely high. Note again that this is not 
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an inconsistency with the black-box confirmation result of which allows 

the differently modeled tracer’s confidence to be quite large. 

Organization. To state negative results, careful modeling is required. We 
define Multicast Encryption Schemes and non-black-box traitor tracing in sec- 
tion 0 , whereas in section 01 we formalize the concepts of black-box tracing and 
coloring, and we provide the groundwork for the rest of the paper. In section 0 
we prove the necessary condition for black-box traitor tracing (section 14. Ij) . and 
we identify families of TTSs that are incapable for black-box tracing (section 
I4.t!l) . Black-box confirmation is discussed in section I4.:tl The negative results 
regarding the black-box traceability of the jBEflfl] and [KDAR] schemes in the 
“self-protecting” pirate-decoder model, are proven in section mi and section 
respectively. 



2 Multicast Encryption Schemes 

Any traitor tracing scheme is based on a Multicast Encryption Scheme (MES) 
- a cryptographic primitive we formalize in this section. Let lA := {1, . . . , n} be 
the set of users. Let {C/u;}iug]n be some a family of sets of elements of length 
w (e.g. Qw = {0, 1}“). For a certain w, we fix the following sets: the message 
space M. the ciphertext-space C C the user key-space V C v,u 

express the dimension of ciphertext space and user key space respectively over 
the message space. Without loss of generality we will assume that u < v i.e. a 
user key does not have to be “longer” than a ciphertext (this is justified by all 
concrete MESs in the literature). Note that in a concrete MES A4,C,T> may be 
of slightly different structure e.g. in the [BKhhj -scheme M C Gq, C Q but 
(see section lOJ, but these differences are of minor importance here. 
A function a(n) will be called negligible if cr(n) < for all c, for sufficiently 
large n. For brevity we make the assumption that 1™ is polynomially related to 
n. A Multicast Encryption Scheme (MES) is a triple (G, E, D) of probabilistic 
polynomial time algorithms with the following properties: 

o Key Generation. On input I’" and n, G produces a pair (e, K) with 
K CV, \K\ = n. 

o Encryption, c ^ E(l’", m, e); m G M, e : (e, K) ^ G(l’", n), {c€ C). 

©Decryption. For any m £ M,{e,K) ^ G(l“',n), if c ^ E(1 “,to, e), 
then the probabilities Prob[m' m : rn' •<— D{V^ c)] and Prob[m' 
m" : m! -(r- D{1'^ ,c,d),m' ^ 13(1“’, c, d')] are negligible, for any keys 
d, d' G K. The first probability states that incorrect decryption event is 
negligible whereas the second probability states that all user keys decrypt 
the same word but with negligible error. 

Note that the above scheme can be either public or secret key. It is easy to 
adapt the standard notions of semantic security or chosen-ciphertext security for 
MESs. 

Let T be the set of functions of (IN — >■ IN) s.t. / G iF if and only if / is 
non-decreasing and constructive (i.e., there is an algorithm M s.t. on input n. 
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M outputs the string 0-^^"^). Moreover, for any f,g G it holds that either 
(a) 3no Vn > no (/(n) = g{n)) (b) 3no Vn > no (/(n) > g{n)) (c) 3no Vn > 
n-o (/(^) < 9 ( 1 ^)) (i-G- it is possible to define a total order over T). Since we are 
interested only in functions less than n, we assume that V/ G iF it holds that 
Vn(/(n) < n). To facilitate traitor tracing, some additional security requirements 
have to be imposed. 

Non- Triviality of Decryption. For any probabilistic polynomial time al- 
gorithm A the following probability is negligible for almost all messages m: 
Prob[m = m' : m' G- A(l™,c);c •<— ^(1“, to, e)]. This property ensures that 
there are no “shortcuts” in the decryption process. Namely, decryption with- 
out access to a key amounts to reversing a one-way function, thus for effective 
decryption one needs some or a combination of the designated user keys. 
Key-User correspondence. It should be guaranteed that each user does not 
divulge its own key; more generally that a user is responsible when its key 
is being used for decryption. This should apply to collusions of users as well. 
More specifically, given t G T, there should be no probabilistic polynomial-time 
algorithm working with non-negligible success probability that given the keys of 
a set of subscribers di^,. . . , di^. with k < t{n), and all other public information, 
and is able to compute one additional private key dj with J ^ {ti, . ■ . , ik}- 
Non-Ambiguity of Collusions. The user keys are drawn from a key-space T>e 
defined for each encryption key e; i.e. T>e C contains all d that can be used 
to invert e. Obviously T>e A K, if {e,K) ^ G(l™,n). Then, the following holds: 
Given t G T] let A,B be probabilistic polynomial algorithms. Given Ti,T 2 two 
disjoint subsets of A, of cardinality less or equal to t{n). Let be all private 
and public information available to Ti , T 2 correspondingly. Then the following 
probability is negligible Prob[d = d' f\ {d G Vf.) : d G- A(Ti, Ii, 1“), d' ^ 

B{T2,i2,in]- 

Non-ambiguity of collusions requires that two disjoint sets of users cannot 
generate the same decryption key. It is an essential property of any traitor- 
tracing scheme, since if it fails it is immediately possible to generate instances 
where tracing is impossible due to ambiguity. 

Definition 1. Traitor Tracing Scheme (non-black-box). Givent, f,v G T , 
a MBS satisfying non-triviality of decryption, key-user correspondence for t{n), 
non- ambiguity of collusions for t{n) and, in addition, has wv{n) ciphertext size, 
is called a {t{n),f{n), v{n)) -Traitor Tracing Scheme (TTS) if there exists a 
probabilistic polynomial time algorithm B (tracing algorithm) s.t. for any set 
T G_ K , (e,K) G- G(l“,n), with |T| < t{n) and any probabilistic polynomial 
time algorithm A that given T and all public information outputs d G T>e, it 
holds that: Prob[r G T : t ^ B{d, K, 1“), d ^ A(T, 1™)] > l//(n) . 

Because of key-user correspondence, the recovery of r is equivalent to ex- 
posing a traitor. Note that in the non-black-box setting it is assumed that the 
decoder is “open” and because of the non-triviality of decryption a decryption 
key is available to the tracer. Black-Box Traitor Tracing Schemes where the trac- 
ing algorithm does not have access to keys (but only black box access to devices) 
are discussed in the next section. 




Self Protecting Pirates and Black-Box Traitor Tracing 



69 



3 Black-Box Traitor Tracing: Preliminaries 

3.1 Colorings 

Consider an MES with given w,(e,K). A coloring of the user population is 
a partition U^Ci of U. Let s G (an element from the extended ciphertext 
space) induces a coloring over U as follows: Define a relation over K: d = d' 
iff D(T“,(i, s) = D{V" ,d' ,s). Note that if D is deterministic then this is an 
equivalence relation. The coloring can be defined as the set of all the equivalence 
classes of =. If D is probabilistic (with negligible error) we define = as d = d' iff 
Prob[D(l“, d, s) ^ I?(l™, d', s)] is negligible. 

If c ^ E(I™, m, e) for some m G Ai (i.e., c is a “real or valid ciphertext”) then 
it holds that for all d, d' G K, D(l“,d, c) = D(l“,d',c) (with high probability 
if D is probabilistic), therefore there is only one equivalence class induced by c, 
i.e. all users are colored by the same color (we call such a coloring trivial). Let 
Xi be the subset of s.t. Vs G fbi, s induces a trivial coloring (with negligible 
error). Obviously the valid ciphertexts constitute a subset of Xi. 

We say that an MES can induce a coloring UiCi if there is an algorithm 
that produces a string s s.t. the string s induces the coloring UiCi over the user 
population. Note that a decryption algorithm of some sort may not necessarily 
return one of the “color labels” i.e. the elements of the set {D(l™, d, s) | d G K} 
(this can happen if the decryption algorithm operates with some “compound” 
decryption key - that has been derived from combining more than one of the 
users’ keys). 

3.2 Black-Box Traitor Tracing Schemes 

The black-box tracing algorithm TZ and the pirate decoder algorithm B are 
probabilistic polynomial-time Turing machines with communication and output 
tapes. B incorporates a correct decoding algorithm: i.e. given a valid ciphertext it 
decrypts it, by running the decryption algorithm D with some key d that inverts 
e (note that d is not necessarily one of the user keys, but it is an element of Vg by 
the non-triviality of decryption property; also note that d may change from one 
decryption to the next). In the terminology of the previous section this means 
that if all traitor keys are colored in the same way the pirate decoder is bound to 
decrypt properly. If B, on the other hand, finds that something is wrong with the 
encryption it may take measures to protect itself, e.g. it may return a random 
word. The set of user keys that are employed in the construction of B is denoted 
by T (due to key-user correspondence the set T can be also defined to be the set 
of traitor users). The tracing algorithm TZ is allowed oracle access to B, namely, 
TZ can adaptively generate input strings s (queries) for B and B, in response, 
will return a value (which is a correct decryption if s is a valid ciphertext) . 

From now on we will use the following notation: denotes a coloring 

induced over the user population by some s of t/"; Ci{n) will denote the cardi- 
nality of C”. Note that for any n, it holds that k{n),Ci{n) G {!,..., n}; with 
this in mind we will use standard asymptotic notation to express the relation 
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of these functions to n, e.g. k{n) = 0{n) means that the number of colors is 
linear in n etc. We make the assumption that the functions k{n),Ci{n) that are 
related to colorings produced by TZ are always in T. Note that occasionally we 
may suppress “(n)” and write k instead of k{n) etc. 

Definition 2. For t,f € T, we say that a polynomial-time (in n) probabilistic 
algorithm TZ is a (t{n), f(ji)) -tracer if for any set of traitors T QU s.t. \T\ < 
t{n) and for any polynomial-time pirate- decoder algorithm B that was created 
using the keys of T, TZ^ given all user keys, outputs a user with non-negligible 
probability in n, who is in the traitor set with probability at least l//(n). 

In this paper we consider tracers R which are non- ambiguous, i.e., when they 
probe the decoder they know that their queries are valid ciphertexts or invalid 
ones. 

We will refer to the function / as the uncertainty of the tracer. Obviously 
obtaining a tracer with 0(n) uncertainty for any MES is very simple: merely 
output any user at random achieves that. The other extreme is a tracer with 
uncertainty 6>(1) (ideally uncertainty=l), that no matter how large is the user 
population it returns a traitor with constant probability of success. 

Remark 3. Consider the tracing approach of accusing any user at random. As 
stated above this has linear uncertainty and is obviously not useful in any setting. 
Suppose now that we have a lower bound on the number of traitors uj(t'{n)); the 
uncertainty of this tracing approach becomes nft'{n) which can be sublinear if 
t'(n) is not a constant. Nevertheless because we would like to rule it out as a 
way of tracing we say that the uncertainty is still linear — and therefore not 
acceptable (but it is linear in n' = n/t'{n) instead of n); abusing the notation 
we may continue to write that the uncertainty in this case is 0(n)). 

Definition 4. For some t, f,v € IF, a {t{n), f{n),v{n))- Black- Box Traitor Trac- 
ing Scheme (BBTTS), is an MES that (1) satisfies key-user correspondence and 
non-ambiguity of collusions for t{n), (2) satisfies non-triviality of decryption, 
(3) it has v{n)w ciphertext size, and (4) there is an (t{n) , f {n)) -tracer so that 
all colorings used by the tracer can be induced by the MES. 

We say that an MES is incapable of Black-Box Tracing collusions of size t{n) 
if any polynomial-time tracer TZ has linear uncertainty (i.e., it is a {t(n), 0{n))~ 
tracer) . 

The proof technique for establishing the fact that a BBTTS is incapable of 
black-box traitor tracing is the following: for any tracer TZ that can be defined 
in the BBTTS there is another algorithm TZ' that operates without oracle access 
to B so that the outputs of TZ and TZ' are essentially identical (i.e. they can be 
different in at most a negligible fraction of all inputs) . More specifically the oracle 
B can be simulated without knowing any information pertaining to B. In such 
a case we will state that the tracer essentially operates without interacting with 
the decoder and as a result it will be immediate that it has linear uncertainty 
(similar to the fact that any algorithm trying to guess a result of a coin flip 
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without interacting with any agents which know the result of the coin cannot 
have probability greater than 1/2). A preliminary result on tracing follows; we 
show that strings that induce the trivial coloring over the user population are 
useless for tracing: 

Proposition 5. Queries which are elements of Xi do not help in reducing the 
uncertainty of a tracer. 

Proof. If the TZ algorithm uses an element of for querying the pirate decoder 
then, the pirate decoder decrypts normally. This answer can be simulated by 
any decryption box. In particular, since the tracer is non-ambiguous it knows 
that it can generate the answer itself using any of the user keys (since it knows 
all user keys). □ 

We will assume that the number of traitors in any pirate decoder is sublinear 
in n, and as it is customary, we will give to the tracer the advantage of knowing 
a (sublinear) upper bound on the number of traitors. Additionally we would 
like to point out that our negative results on traitor tracing are not based on 
history-recording capabilities of the pirate decoder (i.e. B as an oracle does not 
have access to the previously asked queries). As a result the tracer is allowed 
to reset the decoder in its initial state after each query. In addition, our results 
apply even when the tracer has access to the randomness used by the pirate 
decoder. 

4 Necessary Conditions for Black-Box Traitor Tracing 

4.1 Combinatorial Condition 

In this section we establish the fact that if the number of traitor keys is su- 
perlogarithmic in the user population size, it is not possible to trace without 
the decoder noticing it, unless queries of a specific type are used. We denote 
by I T the projection of a coloring onto the traitor keys. Any pirate 

decoder can easily compute UCf f T ; this is done by merely applying the de- 
cryption algorithm with each traitor key onto the given element s. Since this 
is a straightforward process we assume that any pirate decoder implements it. 
Obviously, if UC” f T contains more than one color then the decoder “under- 
stands” it is being traced. In some systems, rather than projecting on individual 
traitor keys, one can project on combinations thereof (and thus reduce storage 
and computation requirements). 

Theorem 6. Suppose that a pirate decoder containing t{n) = w(logn) traitor 
keys, randomly distributed over all user keys, is given a query s G that induces 
a non-trivial coloring over the user population. Suppose further, that the 

coloring has the property -'(3t Ci(n) = n — o(n)). Then, the probability that the 
pirate decoder does not detect it is being queried by the tracer is negligible in n. 
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Proof, (recall that |C”| = Ci{n) for i = 1, . . . , fc; Ci(n) + . . . + Ck{n) = n) Since 
t(n) and Ci{n) for i = 1, . . . , fc are elements of T, without loss of generality we 
assume that Ci{n) > t{n) for alH = 1, . . . , ^ with £ < k, for sufficiently large n. 
Obviously if ^ = 0 the decoder detects it is being traced. 

Recall that we occasionally write t instead of t{n) and instead of Ci{n). The 
total number of ways the pirate keys may be distributed over the user population 
are (") . Similarly, the number of ways in which the decoder cannot detect that it 

is being traced is J2i=i ("tO- probability that the decoder cannot detect that 

it is being traced is P := ^ ’ where (m)y := ml/(m — u)!. 

For sufficiently large n there will be a m G {1, . . . , s.t. Cm{n) > Ci{n) for all 
i = 1, . . . ,k. 

The probability P is then: Oi)*+--+(^dt < Therefore we only 

need to show that {cm{n))t/{n)t is negligible in n. We consider two sub-cases: 

(i) There exists a real number a > 1 such that n > aCm{n) for sufficiently 

large n. Then, {cm)t/(n)t < {cm)t/ {.acm)t- It holds that ^ for any 

i = 0, . . . ,t — 1, (recall that Cm > t). Then {cm)t/{n)t <£/of which obviously 
is negligible since a > 1 and t = o;(logn): in details, 1/a* < l/n‘^ for any 
constant d and sufficiently large n; equivalently < a* or < a* or 

t := t{n) > dlog„ n, which is true since t{n) = w(logn). 

(ii) There is no a > 1 with n > aCm{n). Since Cm{n) < n though, there has 

to be a function f{n) G T s.t. Cm{n) = n — f{n). If f{n) = 0{n) there is a 
0 < /3 < 1 s.t. f{n) > [3n. The case /3 = 1 is not possible since we deal with 
elements which induce coloring and = 0 is impossible. In the case /3 < 1 we 
have that n — f{n) < n — j3n or equivalently n > l/(/3 — 1) • Cm{n) therefore we 
are in case (i) since l/(/3 — 1) > 1 (i.e. a := l/(/3 — 1)). Finally if /(n) = o(n) 
we fall into the case excluded by the theorem. □ 

The Theorem asserts that a decoder detects that it is being queried unless 
most users are colored in the same way. Namely, the negation of the Theorem’s 
condition -i(3* Ci{n) = n — o{n)) is that there is an i s.t. almost all users are 
colored in the same way (ci(n) = n — o(n)). By “almost all” we mean that 
Ci{n)/n — >■ 1 when n — >■ oo. 



4.2 Negative Results 

In this section we discuss how a pirate decoder can take advantage of Theorem 0 
in order to protect itself. Specifically we show that there is a deterministic self- 
protecting strategy for any pirate decoder: when the pirate decoder detects tracing 
it returns “0” (a predetermined output). This strategy is successful for decoders 
containing enough traitor keys. The next Theorem asserts that any BBTTS 
whose underlying MES can only produce ciphertexts that are either valid or do 
not color most users in the same way (as discussed in the previous section) has 
&(n) uncertainty for any pirate decoder that incorporates t(n) = w(logn) traitor 
keys. 
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Theorem 7. Given an f{n),v{n))-BBTTS s.t. the underlying MES can 
only induce colorings with the property {k{n) = 1) V -i(3i Ci{n) = n — 

o(n)) then it holds that ift{n) = w(logn) then f{n) = 0{n). 

Proof. Assume that the decoder employs t{n) traitor keys. The algorithm fol- 
lowed by the decoder is the following: before decrypting, it computes UC” f T. 
If all traitor keys are colored in the same way, it decrypts using any key. If there 
is more than one color the decoder returns “0”. 

The coloring conditions on the MES assures that an invalid ciphertext will be 
detected by the pirate decoder based on Theorem 0 Consequently the decoder 
on an invalid ciphertext will return “0” with overwhelming probability. On the 
other hand, any element in ffi will be properly decrypted. Since the tracer is 
non- ambiguous, the oracle can be simulated with overwhelming probability. So 
the tracer essentially operates without interacting with the decoder. By remark 
13 the uncertainty of the scheme is 0{n). □ 

The pirate decoder strategy used in the proof above can be defeated by a 
tracer that is able to produce colorings s.t. n — o(n) users are colored in the same 
way. This is achieved in the MES of ICKNPool . and a black-box traitor tracing 
method which uses such colorings is presented there. 



4.3 Negative Results for Black-Box Confirmation 

Black-Box Confirmation is an alternative form of revealing some information 
about the keys hidden in the pirate decoder. Suppose that the tracer has some 
information that traitors are included in a set of suspects S and wants to confirm 
this. The fact that the tracer has some information about the traitor keys means 
that they are not randomly distributed over all users’ keys and therefore Theorem 
10] is not applicable (in fact, biasing the distribution of a potential adversary is, 
at times, a way to model suspicion). Under such modeling, we can show a strong 
negative result for single-query black-box confirmation, i.e. when a single query 
is sent to the pirate-decoder that induces the same color on the suspects and 
different color(s) on other users. If the pirate decoder returns the color label 
associated to the suspect set then the suspicion is confirmed (note that this is 
exactly the black-box confirmation method used in pF99j ) . 

The change of the distribution of the traitor keys can be modeled as follows: 
the probability Prob[* S T\i S 5] = a(n)Prob[i S T] where a{n) > 1 for 
sufficiently large n; note that when the tracer has no information it holds that 
a{n) = 1. Let us fix t the size of the traitor set. We will denote the distribution 
of f-sets of potential traitor keys by £^nd refer to a(n) as the advantage 

of the tracer. For example, for t = 1 the probability of all T inside S is a/n, 
whereas the probability of all other T’s is . As usual, we allow the tracer 

to know an upper bound on the number of traitors’ keys and therefore |5| > |T|. 

Lemma 8. Let S he a set of users such that s{n) := |5| and an a(ji) € T such 
that s{n)a{n) < cn for some c € (0, 1). Suppose that a pirate decoder employing 
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t(n) = Lo{logn) traitor keys, distributed according to T>s,a, is given a query 
that induces the following coloring over the user population: the users in S are 
colored in the same way and the remaining users in different color(s). Then, the 
probability that the traitor set is included in the suspect set is negligible in n. 

Proof. For simplicity we write s,a instead of s(n),a{n) respectively. We show 
that the probability Prob[T C 5], when T is distributed according to T>s,a, is 
negligible. 

It is easy to see that Prob[T] = a*/(") (when T is distributed according 
to Vg a and T C 5), and as a result Prob[T C 5] = a*(®)/("). The fact that 
sa < cn implies < c for any i > 0; as a result it holds that «*(()/(”) < cb 

Since 0 < c < 1 and t = w(logn) the probability is negligible. □ 

Theorem 9. Single-Query Black-Box Confirmation with a suspect set S and 
confidence a{n) is not possible against any pirate- decoder which contains t{n) = 
w(logn) traitor keys, provided that |5|a(n) < cn for some constant c € (0,1). 

Proof. Suppose that the pirate decoder returns “0” when it detects an invalid 
ciphertext. Then, by lemma El with overwhelming probability not all the traitors 
are in the suspect set, thus the pirate decoder will return the color label of the 
suspect set with negligible probability in n. As a result single-query black-box 
confirmation will fail. □ 

Note the trade-off between the size of S and the advantage a{n). How large 
should be the advantage of the tracer so that single-query black-box confirmation 
is possible? it should hold that a(n)|5| = n — o(n). In this case it holds that 
Prob[i G S\i G T] = Prob[(i G 5) A (i G T)]/Prob[i G T] = a(n)Prob[(i G 
5) A (i G T)]/Prob[i G T\i G 5] = a(n)Prob[i G 5] — >■ 1, when n — ?> oo (under 
the condition that a(n)|5| = n — o(n)). This, together with the above Theorem 
imply: 

Corollary 10. Single-query Black-box confirmation is impossible against any 
pirate decoder that includes t{n) = o;(logn) traitor keys, unless the probability 
that a user is a suspect given that it is a traitor is arbitrarily close to 1. 

Some remarks should be placed herein: (1) Prob[z G S\i G 7^ is arbitrarily 
close to 1, means that the confidence level of the tracer is so high that it “forces” 
T to be a subset of S (for more discussion on confirmation in this case and the 
relation to the black-box confirmation results of fRFlTTj see subsection EH). (2) 
We do not rule-out black-box confirmation with smaller confidence levels in 
different models or by multiple-queries that do not directly color the suspect set 
in a single color and the remaining users differently. 

5 Prom Necessary Conditions to Concrete Systems 

In this section, we apply our generic necessary condition results to concrete 
systems. We actually analyze specific properties of the schemes of 
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these properties in combination with the generic results reveal inherent black-box 
tracing limitations of these schemes in the self-protecting model. This demon- 
strates that these schemes are, in fact, sensitive to the self-protection property of 
our model and the number of traitors. This shows the power of the self-protecting 
pirate model, since in more restricted pirate models (restricting the power of the 
pirate decoder or the number of traitors) tracing was shown possible, whereas 
we get negative results for the more general model defined here. We note that 
below we will assume that self-protection involves decryption with traitor keys. 
However, achieving self-protection using a linear combination of traitor keys is 
possible as well; in which case the actual traitor keys are not necessarily stored 
and the storage as well as the computation of the pirate can be reduced. 

Our results can be seen as a separation of the schemes of and the 

scheme of |( ;KNh4IOFNPflfl| with respect to black-box traceability. In the latter 
scheme our self-protection method fails to evade tracing, since the ciphertext 
messages induce colorings which fall into the exception case of Theorem 0 and 
the tracing method, in fact, employs such ciphertexts. 



5.1 The [BF99] -Scheme 

Description. We present the basic idea of the Boneh and Franklin scheme 
[IBF99j . All base operations are done in a multiplicative group Gq in which 
finding discrete logs is presumed hard, whereas exponent operations are done in 
Zq. Vectors (denoted in bold face) are in Z” and a ■ b denotes the inner product 
of a and b. Given a set F := { 71 , . . . , 7 , 1 } where ■ji is a vector of length v, and 
given random r := (ri, . . . , r^) and c S Zq, we select dj = 0 ^ 7 *, i = 1, . . . ,n such 
that \/i r ■ di = c, where n is the number of users (i.e. we select 6i := c/ (r • ji)). 
The vector 7 j is selected as the *-th row of an (nxu)-matrix B where the columns 
of B form a base for the null space of A, where A is an (n — u) x n matrix where 
the Tth row of A is the vector (1*, 2®, . . . , n®), i = Q, . . . ,n — v — 1. 

The public key is (y, hi , . . . , h„), where hj = g''^ and y = g'^, where y is a 
generator of Gq. Note that all vectors di are representations of y w.r.t the base 
hi, . . . ,hy. Vector di is the secret key of user i. Encryption is done as follows: 
given a message M & Gq, & random a € Zq is selected and the ciphertext is 
{My°‘, hi, ... , /i“). Given a ciphertext, decryption is done by applying di to the 
“tail” of the ciphertext: /i“, . . . , pointwise, in order to obtain y“ by multiplica- 
tion of the resulting points, and then M is recoverable by division (cf. ElGamal 
encryption). In |HF99| a tracing algorithm is presented showing that the scheme 
described above is a {t{n), 1, 2t(n))-TTS. It is also shown that their scheme is 
black-box against pirate decoders of specific implementations (“single-key pi- 
rate” , “arbitrary pirates” ) . We next investigate further black-box capabilities of 
the IBF99l -scheme. 

k(n) 

Negative Results. Suppose that we want to induce a coloring U^^i G^ in the 
[IB F99j scheme. Given a (possibly invalid) ciphertext {C,g^^^^, . . . user i 

decrypts as follows: . Thus, we can color user i by the 

color label G j g^''^' (the value of the decryption by the user) provided that we 



76 



A. Kiayias and M. Yung 



find the xi,...,Xy such that rixi(di)i + . . . + ryXy(di)y = OiCi. This can be 
done by finding & z := (zi, . . . , s.t. 7i • 2; = Ci for alH = 1 , . . . , n. Given 
such a 2: we can compute the appropriate x-values to use in the ciphertext as 
follows: Xj = Zj{rj)~^ for j = 1 , . . . ,u. Note that for valid ciphertexts it holds 
that z = ar for some a G Zq (and as a result xi = ... = Xy = a). 

Next we present a property of the Boneh-Franklin scheme, showing that an 
invalid ciphertext (namely, a ciphertext which induces more than one color), 
cannot color too many users by the same color. 

Theorem 11 . In the \BF 9 ^ -MES. given a (possibly invalid) ciphertext that 
induces a coloring over the user population so that v users are labelled by the 
same color then all users are labelled by the same color. 

Proof. Suppose that the ciphertext {C, g^^^^ , . . . , g^'^^'’) colors user i by label 
to user i, and that v users are colored by the same label. Let c' := r • 7^, 
for i = 1 , . . . , n. Without loss of generality assume that users 1 , . . . , u are colored 
by the same label. Then it holds that 9 iC\ = ... = 6 yCy or equivalently ci/c) = 
. . . = Cyjdy. Let a := cija'i. Then we have that c\ = ac{, . . . ,Cy = ac'y. 

Define 2; = (zi, . . . ,Zy) s.t. Zj = rjXj for j = 1 , . . . , v. It follows that 7* • 2; = 
Ci, for i = 1 , . . . ,n (we call this system of equations system 1 ). Because it holds 
that 7j • (ar) = ac( for i = l,...,v (and this will hold for any v users) it 
follows that z = ar provided (which we show next) that 71, ... ,7^ are linearly 
independent (since in this case system 1 is of full rank, and as a result it has 
a unique solution). Since 2; = ar it follows that x\ = ... = Xy = a, i.e. the 
ciphertext (C, . . . , <7’'”“”) is valid. 

To complete the proof we have to show that any v vectors of T = {71 , . . . , 7^} 
are linearly independent. Suppose, for the sake of contradiction, that 71, . . . ,7„ 
are linearly dependent. Recall that 7^ is the *-th row of a (n x r)— matrix B where 
the columns of B constitute a base of the null space of the (n — v) x n-matrix 
A. Let us construct another base as follows: the null space of A contains all n- 
vectors x := (xi, ... , Xn) such that Ax"’" = 0 . Choose xi,.. .,Xy as free variables 
and solve the system Ax^ = 0 (the system is solvable since if we exclude any 
V columns of A the matrix becomes the transpose of a Vandermonde matrix of 
size n — v; due to this fact the choice of the “first” v 7 vectors is without loss 
of generality). Solving the system like this will generate a base B' for the null 
space of A so that the first v rows of R' contain the identity matrix of size v. 
But then it is easy to see that there are vectors in the span of B' that do not 
belong in the span of B, a contradiction. As a result 7i, • ■ • , 7« should be linearly 
independent. The same argument holds for any other v vectors of T. □ 

By theorem 0 we know that almost all users (n — o(n)) should be colored 
in the same way in order for the pirate-decoder to be unable to detect tracing. 
However, by the previous Theorem it holds that at most u — 1 users can be colored 
in the same way (otherwise the coloring becomes trivial which means that the 
ciphertext does not constitute a query which helps in tracing by Proposition 0 ) . 
As a result it should hold that v = n — o(n); note that in this case vfn ^ 1 if 
n — >■ 00. As a result we obtain the following corollary: 
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Corollary 12. Let {t{n), f{n),v{n))-BBTTS be a seheme based on the ]BF9!)I^ - 
MES. If t(n) = Luflogn) then it holds that either f{n) = &{n) or that v(n) = 
n — o{n). 

Essentially this means that the -scheme is incapable of black-box trac- 

ing superlogarithmic self-protecting traitor collusions unless the ciphertext size 
is linear in the number of users. 

Regarding single-query black-box confirmation (introduced in iHEnnj) we 
showed that when suspicion is modeled as biasing the uniform distribution, where 
suspects are distinguished by increasing the probabilistic confidence in them 
being traitors, then as a result of section ^31 it holds that: 

Corollary 13. In the mrm -scheme, Single-query Black-box confirmation is 
impossible against a pirate decoder which includes t(ji) = w(logn) traitor keys, 
unless the probability that a user is a suspect given that it is a traitor, is arbi- 
trarily close to 1. 

Note: in iBFOTj . a more sophisticated combination of black-box confirmation 
with traitor tracing is presented. The scheme is a single-query black-box confir- 
mation in principle, but multiple queries that induce different colorings within 
the suspect set are employed, until a traitor is pinned down. Our negative re- 
sults for black-box confirmation (in the self-protecting model variant) apply to 
this setting as well. The arguments in are plausible in the “arbitrary pi- 

rates” model (including self-protecting one). For the method to work, however, 
they assume “compactness” (called confirmation requirement), namely that it 
is given that all traitors are within the suspect list. Our results point out that 
without this compactness, relying solely on likelihood (modeled as probability), 
successful confirmation is unlikely unless there is a very high confidence level 
(which will enforce the “compactness condition” almost always). Our results do 
not dispute black-box confirmation under compactness but rather point to the 
fact that obtaining (namely, biasing a uniform distribution to get) a “tight” 
suspect set S which satisfies compactness at the same time can be hard. 

5.2 The [KU981 -Scheme 

Description. The scheme of Kurosawa and Desmedt is defined as follows: a 
random secret polynomial f{x) = oq + a\X -I- . . . a^x'" is chosen and the values 
g °“°, . . . , are publicized (the public key of the system). User i is given f{i) as 
its secret key. A message s is encrypted as follows: , • ■ • , <?”“”)) were 

r is chosen at random. User i decrypts as follows: = s. 

It is more convenient to think of the secret key of user i as {f{i),i) where 
i := (1, t, *^, . . . , U). In fKD98j it was proven that their scheme satisfies key-user 
correspondence for collusions of up to v users provided the discrete-log problem 
is hard. However non-ambiguity of collusions was overlooked, something pointed 
out in |SW98a| and in |HF99| . 

The problem arises from the fact that the set of possible keys used also 
includes linear combinations of user keys: (X)L=i ^rnf{im)^Y^*m=i where 
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G 'Z'q with X]L=i ^ra = 1 and ii, . . . , it G {1, . . . , n}. This tuple can also be 
used for decryption since: given (5’', sg^°'° , • ■ ■ , g''°''“), one may compute 



To achieve non-ambiguity of collusions we would like to show that given any 
two subsets of users ii, . . . , it and ji, . . . , jt it should hold that {X)L=i ^mim \ 
Oi, . . . , am} n {Y!'m=i o^mjm \ Oi, • ■ • , C(m} = 0- Something that can be true 
only if u > 2i i.e. v should be twice the size of the biggest traitor collusion 
allowed. In the light of this, it is not known if it is possible to trace traitors in 
this scheme (even in the non-black-box setting). The only known approach is the 
brute-force “black-box confirmation” for all possible traitor subsets suggested in 
that needs exponential time (unless the number of traitors is assumed 
to be a constant). Despite this shortcoming the [KD98| -scheme is a very elegant 
public-key MES that inspired further work as seen in the schemes of lEEna 
EEoni. In the rest of the section we show that the [IKD98j -scheme has similar 
black-box traitor tracing limitations as the -scheme. 



Negative Results. Suppose we want to induce the coloring 



the 



[IKD98j -MES. Given a (possibly invalid) ciphertext {g'" , sg^°°-° , , . . . ,5"^”“”), 

user i applies {f{i),i) to obtain s^EI=o So 
we can color each user by a color-label sg'^% if we find a 2: s.t. z ■ i = Ci for all 
i = 1 , . . . , n; given such a 2: we can compute the appropriate xq, . ■ ■ values 
to use in the ciphertext as follows: Xj = Zj{aj)~^ + r for j = 0, . . . , u. The set of 
all valid ciphertexts corresponds to the choice z — 0 (and in this case it follows 
that a;o = . . . = Xr), nevertheless the choice of z = (a, 0 , . . . , 0) also colors all 
users in the same way although in this case the decryption yields sg°' (instead 
of s). 

Next we present a property of the Kurosawa-Desmedt scheme, showing that 
an invalid ciphertext (which induces more than one color) , cannot color too many 
users by the same color. 



Theorem 14. In the }KU9t^ -MES. given a (possibly invalid) ciphertext that 
induces a coloring over the user population so that v + 1 users are labelled by the 
same color then all users are labelled by the same color. 



Proof. Suppose that the ciphertext induces a color- 

label sg'^* on user i so that u -I- 1 users are colored in the same way. Without 
loss of generality we assume that ci = ... = c„+i. Define Zj := (xj — r)aj for 
j = 0, . . . , u. It follows that i-z = Ci for i = 1, . . . , n. Seen as a linear system with 
z as the unknown vector the equations i • z = for z = 1 , . . . , n suggest that z 
corresponds to the coefficients of a polynomial p{x) := zq + z\x -I- . . . z„a;" such 
that p{i) = Ci for z = 1, . . . , n. Because p(l) = . . . = p{v + 1) and the degree of p 
is at most v it follows immediately that p has to be a constant polynomial, i.e. 
z = (a, 0, . . . , 0) with a = p(l) = . . . = p{v + l). (Any c-|- 1 equal value points on 
the polynomial will imply the above, which justifies the arbitrary choice of users). 
If follows immediately that user z receives the color label sg'^* = sg'^'^ = sg°' and 
as a result all users are labeled by the same color. □ 
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With similar arguments as in section tr.l I we conclude: 

Corollary 15. Let {t{n) , f (n) , v{n)) -BBTTS be a scheme based on the ^KD9f^ - 
MES. If t(n) = o;(logn) then it holds that either f(n) = 0(n) or that v{n) = 
n — o(n). 

Essentially this means that the jKD9f^ -scheme is incapable of black-box trac- 
ing superlogarithmic self-protecting traitor collusions unless the ciphertext size 
is linear in the number of users. 

Corollary 16. In the fK D 9 8lj - scheme. Single-query Black-box confirmation is 
impossible against a pirate decoder which includes t(ji) = w(logn) traitor keys, 
unless the probability that a user is a suspect given that it is a traitor, is arbi- 
trarily close to 1. 
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Abstract. The study of minimal cryptographic primitives needed to im- 
plement secure computation among two or more players is a fundamental 
question in cryptography. The issue of complete primitives for the case 
of two players has been thoroughly studied. However, in the multi-party 
setting, when there are n > 2 players and t of them are corrupted, the 
question of what are the simplest complete primitives remained open for 
t > n/3. We consider this question, and introduce complete primitives of 
minimal cardinality for secure multi-party computation. The cardinality 
issue (number of players accessing the primitive) is essential in settings 
where the primitives are implemented by some other means, and the sim- 
pler the primitive the easier it is to realize it. We show that our primitives 
are complete and of minimal cardinality possible. 



1 Introduction 

In this paper, with respect to the strongest, active adversary, we initiate the 
study of minimal complete primitives for multi-party computation from the point 
of view of the cardinality of the primitive — i.e., the number of players accessing 
it. A primitive is called complete if any computation can be carried out by the 
players having access (only) to the primitive and local computation. A primitive 
is called minimal if any primitive involving less players is not complete. 

For n players, t of which might be corrupted, the question is well understood 
for t < n/3. In this paper we consider this question for t > n/3. We show that 
in fact there are three interesting “regions” for t: t < n/3, n/3 < t < n/2, 
and n/2 < t < n, and present, for each region, minimal complete primitives for 
t-resilient unconditional multi-party computation. 

1.1 Prior and Related Work 

Secure multi-party computation. Secure multi-party computation (MFC) has 
been actively studied since the statement of the problem by Yao in |Ya,o82j . 
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For the standard model with secure pairwise channels between the players, 
the first general solution of the problem was given by Goldreich, Micali, and 
Wigderson |(1MW87| with respect to computational security. Ben-Or, Gold- 
wasser, and Wigderson |BGW88| and Ghaum, Grepeau, and Damgard |GGD88| 
constructed the first general protocols with unconditional security. Additionally, 
it was proven in [BGW88) that unconditionally secure MPG was possible if and 
only if less than half (one third) of the players are corrupted passively (actively). 

For the model where, in addition to the pairwise secure channels, a global 
broadcast channel is available, Rabin and Ben-Or |H B89] constructed a proto- 
col that tolerates (less than) one half of the players being actively corrupted. 
Their solution is not perfect, as it carries a small probability of error. However, 
it was later shown by Dolev, Dwork, Waarts and Yung [nnWY98IJ that this 
is unavoidable for the case t > \n/‘S\ (and the assumed communication primi- 
tives), as there exist problems with no error-free solutions in this setting. Fitzi 
and Maurer |FM00j recently proved that, instead of global broadcast, broadcast 
among three players is sufficient in order to achieve unconditionally secure MPG 
for t < n/2. 

Complete primitives. Another line of research deals with the completeness of 
primitives available to the players. Kilian |Kil88j proved that oblivious transfer 
(OT) jR,ab81 1 is complete for two-party computation in the presence of an ac- 
tive adversary. A complete characterization of complete functions for two-party 
computation, for both active and passive adversaries, was given in based 

on |Kil91j and results by Beimel, Micali, and Malkin [IHM M99] . These results 
are stated with respect to asymmetric multi-party computation in the sense that 
the result of the function is provided to one single (predefined) player. 

A first generalization of completeness results to the more general n-party case 
was made by Kilian, Kushilevitz, Micali, and Ostrovsky |KlV1094IKKlV10fl??) . 
who characterized all complete boolean functions for multi-party computation 
secure against a passive adversary that corrupts any number of players. 

With the noted exception of Goldreich’s treatment of reductions in Einni, 
previous work on complete primitives typically assumes that the cardinality of 
the primitive is the same as the number of players involved in the computation. 
In contrast, in this paper we are concerned with the minimal cardinality of 
complete primitives for multi-party computation. 

1.2 Our Results 

In this paper, for any primitive cardinality k, 2 < k < n, we give upper and 
lower bounds on t such that there is a complete primitive gk for multi-party 
computation secure against an active adversary corrupting that many players. 
With one exception, all these bounds are tight. In particular, for each resiliency 
“region” t < t < and t < n, we present minimal complete primitives for 
t-resilient unconditional multi-party computation. To our knowledge, this is the 
first time that the power of the cardinality of cryptographic primitives — and 
their minimality — is rigorously studied. 
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Table 1. Complete primitives of cardinality k 



Primitive 

cardinality 


Resiliency 


Primitive 


Number of 
instances 


Efficient reduction 


Lower bound 


fc = 2 


t < n/3 


t < n/3 


SC 2 


to 


fc = 3 


t < n/2 


t < n/2 


OC 3 /CC 3 


CO 


4 < fc < n — 1 


t < n/2 


t < n — 2 


OC 3 /CC 3 


3 ( 3 ) 


k — n 


t < n 


t < n 


UBBn 


1 



SC2: Secure Channel, OC3: Oblivious Cast, CC3: Converge Cast, UBB„: Universal 
Black Box. OC3, CC3 and UBB„ are primitives introduced in this paper. 



When fc = 2, it is well known that secure pairwise channels (or, more gen- 
erally, OT) are enough (complete) for t < n/3, as it follows from |B(1W88I 
ICCD88| and |Kil88j . We show that, for n > 2, no primitive of cardinality 2 can 
go above this resiliency bound, including primitives that are complete for 2-party 
computation. 

The case fc = 3 is of special interest. We introduce two primitives: oblivi- 
ous cast fBk^ . a natural generalization of oblivious transfer to the three-party 
case, and converge cast, a primitive that is related to the anonymous channel 
of |(lha,88) . and show that they are complete for t < n/2. In light of the impos- 
sibility result for fc = 2, these primitives are also minimal. 

For the case fc = n we introduce a new primitive, which we call the universal 
black box (UBB), and show that it is complete for arbitrary resiliency {t < n). 
This primitive has interesting implications for computations involving a trusted 
third party (TTP), in that it enables oblivious TTPs, i.e., trusted parties that do 
not require any prior knowledge of the function to be computed by the players 
— even if a majority of the players are corrupted. The UBB is also minimal, 
since we also show that no primitive of cardinality n — 1 can be complete for 
t < n. These results are summarized in Table O 

Multicast and “convergecast,” with a single sender and a single recipient, 
respectively, constitute two natural communication models. We also show that 
no primitive that conforms to these types — even of full cardinality — can 
achieve more than t < nj2, and therefore be more powerful than our primitives 
of cardinality 3. In other words, with respect to these types. Table Q “collapses” 
to two equivalence classes: fc = 2 and 3 < fc < n. 

All the primitives we present allow for ejjicient multi-party computation. 



2 Model and Definitions 

In this paper we focus on secure function evaluation (SFE) |Yao82j by a set P 
of n players, where each player pi has an input value Xi and obtains an output 
value fi{xi,X 2 , - ■ ■ Xn), for a (probabilistic) function fi. We are interested in 
unconditional security against an active adversary who may corrupt up to t of 
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the players; i.e., the adversary may make the corrupted players deviate from the 
protocol in an arbitrarily malicious way, and no assumptions are made about his 
computational power. 

In contrast to the treatment of two-party computation (e.g. IkilhilkilbOl and 
[lUMMUiU V where only one predefined player receives the final result of the com- 
putation, our model allows every player to receive his own (in general, different) 
result — which corresponds to the general notion of multi-party computation 
in [Yao82ICCD88lfj(IW88| . Similarly, our definition of a primitive, as given in 
the next paragraph, also allows every involved player to provide an input and 
get an output, as opposed to just one player. Nonetheless, our constructions ap- 
ply to the former model as well since for each of our complete multiple-output 
primitives there is also a single-output primitive that is complete with respect 
to single-output SFE. 



Primitives of arbitrary cardinality. Our communication model is based on ideal 
primitives that can be accessed by k players, 2 < k < n, implementing the secure 
computation of some fc-ary, possibly probabilistic function; k is called the cardi- 
nality of the primitive. Besides this primitive, no other means of communication 
is assumed among the players. 

We view primitives as “black boxes” in the sense that all implementation de- 
tails are hidden from the players. Depending on the function being implemented, 
of the k players accessing the primitive one or more may secretly enter an input 
to it, and one or more may secretly receive the value(s) of the function. 

We use to denote the primitive implementing fc-ary function g, in 

which i < k players provide an input, and where j < k players receive the 
output of the function^ We call [i,j] the type of the primitive. We will drop the 
type when clear from the context. We focus on the following types: [1, 1], [1, k], 
[k, 1], and [k, fc]0 

Note that a primitive of a given cardinality can always be simulated (when 
applicable) by the same primitive with a larger cardinality by cutting some of the 
“wires.” More formally, the following domination relation exists: Let {k',i',j') D 
(k,i,j) (meaning k' > k, i' > i and > j); then for every primitive gk[i-,j] there 
exists a primitive g'f^i[i',j'] that is as powerful as gk[hj]- 

We assume that every subset S C P of k players shares kl instances of the 
primitive — one for each permutation of the players; thus, we assume {^)kl 
instances of the primitive in total. However, we will show that there is always 
a (minimal complete) primitive such that, overall, polynomially-many instances 
(specifically, less than n^) of the primitive are sufficient. 



Security model. Several formal definitions of secure function evaluation exist 
(e.g., |Heab2l(.;a,nl)l)p(lol()()|(IL9()|MH,92j ). The process is assumed to be syn- 
chronous, a fact that simplifies the task of reasoning about security. In |Ca,nflflj 



^ A complete specification of the primitive should include additional aspects, such as 
which i (j) out of the k players provide an input (resp., receive an output), etc., but 
the simpler notation will be expressive enough for the primitives we will consider. 

^ In the case of [1,1], we always ignore the “reflexive” case (same player providing 
input and receiving the output). 
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(and in a nutshell), the computation to be performed among the n players is 
specified with respect to an incorruptible trusted party r who interacts securely 
with the players. For the special case of secure function evaluation where a func- 
tion on the players’ inputs is to be computed and revealed, such a process can be 
defined by the players first secretly handing their inputs to r, r computing the 
output corresponding to the (possibly probabilistic) function, and then handing 
it back to the players. Such a protocol among P U {t} is called an ideal process. 

Of course, the goal of multi-party computation is to perform the same task 
without the need for a trusted party; thus, a multi-party computation protocol 
for evaluating a function is called secure if it emulates the ideal evaluation process 
of the function, i.e., if for every strategy of the adversary in the real protocol 
there is a corresponding adversary strategy that, with similar cost, achieves the 
same effect in the ideal process. In particular, this means that whenever the 
ideal process satisfies some consistency or privacy property with respect to the 
players (e.g., privately computes some specific function on the players’ inputs), 
then the secure protocol also satisfies them. This notion of security can then 
be refined further by distinguishing among the different types of similarities 
between the global outputs in both the ideal and real life computations. We are 
interested in unconditional security, which is obtained by requiring that these 
output distributions be indistinguishable, except for a negligible function of the 
security parameter, independently of the adversary’s computational power. 

The trusted party r is assumed to be equivalent to a probabilistic Turing 
machine with a memory tape of fixed (limited) size. This implies that r can 
perform any task a standard computer can but not more. On the other hand, 
r is also equivalent to an arithmetic circuit (though of potentially large size) 
and hence can be modeled as a (stateless) circuit. Thus, the multi-party com- 
putation specification simply defines a sequence of circuit evaluations on the 
players’ inputs. Note that this ideal computation model, and hence the set of 
problems computable with an SFE protocol, is as strong as the “standard” one 
(e.g., |ROW88l(X:n88IT},Fi89j V 

Reducihility and completeness. A main theme in this paper is that of reductions 
“across” cardinalities. The notion of reduction generalizes to the case of an n- 
ary function (n-player protocol) invoking another fc-ary function (primitive of 
cardinality k, resp.), with A: < n, in a natural way iSn]: 

Definition 1 (Reductions). An n-player protocol unconditionally reduces /„ 
to Pk for a given t < n, if it computes fn unconditionally t-securely just by 
black-box calls to and local computation. In such a case we say that fn un- 
conditionally reduces (for short, reduces^ to gt for that 

The notion of completeness also generalizes to the different cardinality setting 
in a natural way: if gk is complete one can use gk to perform secure n-party 
computation. More formally: 

® Note that the definition of reduction also admits the opposite direction, i.e., from 
smaller cardinality to larger cardinality. Occasionally in our constructions we will 
also use this direction (for example, by implementing secure pairwise channels using 
a three-player primitive). 
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Definition 2 (Completeness). We say a primitive gk is unconditionally com- 
plete (for short, complete j for a given t < n, if every n-ary function uncondi- 
tionally reduces to gk (for the same t). 

Typically, the reduction step is applied more than once, by reducing a prim- 
itive already known to be complete to another, perhaps simpler primitive. For 
example, this is the case in the two-party case, where protocols are given that 
implement oblivious transfer using a different primitive (see, e.g., IKilOOl b This 
is also the approach we will follow in this paper, by showing how to implement, 
using our primitives, the “resources” that are known to be required for SFE. 

Furthermore, all our reductions will be unconditionally secure in a way that 
the simulation can fail with some negligible probability, but, in the non- failure 
case, it perfectly provides the desired functionality; i.e., compared to an ideal im- 
plementation of the functionality, the reductions leak no additional information 
and provide perfect correctness. (Note that this allows for parallel composition.) 
Hence, by estimating the overall error probability of the complete reduction from 
the given SFE problem to the complete primitive as the probability that at least 
one single implementation of a reduction step fails, we actually get an upper 
bound on the probability that the whole protocol does not provide perfect se- 
curity. Since our reductions keep this probability negligibly small, we achieve 
unconditional security according to the definition above. 

Finally, we note that all our reductions are efficient, i.e., polynomial in n 
and a security parameter cr such that the overall error probability is smaller 
than 2 ““^. 



3 Primitives of Cardinality 2 

It is well known that secure channels (SC 2 ) are sufficient for unconditional 
SFE mGW88iJCU88l| with t < n/3. That is, in our parlance: 

Proposition 1. For any n, there is a primitive of cardinality 2, the secure chan- 
nel, that is complete for t < n/3. 

Since we are assuming that every permutation of the players share a primitive, 
the type of a secure channel is [1, 1]; hence, for t < n/3, the complete primitive is 
of the weakest type. We now prove that, for t > |"n/3] , no primitive of cardinality 
2 can be complete (if n > 2). This is done by showing that there is a problem, 
namely broadcast (aka Byzantine agreement) |FSL8(| . that cannot be solved in a 
model where players are connected by “ 52 -channels” for any two-party primitive 
52 ■ We first recall the definition of broadcast . 

Definition 3. Broadcast is a primitive among n players, one sender and n — 1 
recipients. The sender sends an input bit b G {0, 1} and the recipients get an 
output (decision) value v G {0, 1} such that the following conditions hold: 
Agreement.- All correct recipients decide on the same value v G {0,1}. 

Validity.- If the sender is correct, then all correct recipients decide on the sender’s 
input bit (v = b). 
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Fig. 1. Rearrangement of processors in proof of LemmaQ 



We first consider the special case of n = 3 and t > 1, and then reduce the 
general case of n > 3 and t > |"n/3] to this special case. The impossibility 
proof (for n = 3 and t > 1) is based on the impossibility proof in |FLM8fij . 
where it is shown that broadcast for t > [n/3] is not achievable in a model with 
pairwise authentic channels. In the new model, however, every pair of players 
can perform secure two-party computation. The idea in the proof is to assume 
that there exists an unconditionally secure broadcast protocol involving three 
players — interconnected by such a “g 2 channel”, which then can be used to 
build a different system with contradictory behavior, hence proving that such a 
protocol cannot exist. 

Lemma 1. Let n = 3. For any two-player primitive eonnecting eaeh pair of 
players, uneonditionally seeure broadeast is not possible ift>l. 

Proof (sketch). Suppose, for the sake of contradiction, that there is a protocol 
that achieves broadcast for three players po, Pi, and p 2 , with pq being the sender, 
even if one of the players is actively corrupted. 

Let 7ro,7Ti,7r2 denote the players’ corresponding processors with their local 
programs and, for each i € {0, 1, 2}, let be an identical copy of processor 
and let the (set of) given two-party primitive(s) between two processors and 
TTj be called the channel between tt^ and nj . Instead of connecting the original 
processors as required for the broadcast setting, we build a network involving 
all six processors (i.e., the original ones together with their copies) by arranging 
them in a circle, i.e., each processor tt^ (f S {0, . . . , 5}) is connected (exactly) by 
one channel with one with 

We now prove that for every pair of adjacent processors and 7r(i_|_i)„iod6 ™ 
the new system and without the presence of an adversary, their common view is 
indistinguishable from their view as two processors TTimods and 7T(j_|_i) mods ™ the 
original system with respect to an adversary that corrupts the remaining proces- 
sor 7T(i_|_2) mod 3 ™ an admissible way0 Refer to Figure [D The original system is 
depicted in Figure ^(a). Let the processors ttq and tti be correct. An admissible 

I.e., for every pair of original processors, the rearrangement simultaneously simulates 

some particular adversary strategy by corrupting the third processor. 
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adversary strategy is to “split” 7 T 2 and to make it behave independently with 
respect to ttq and tti (Figure Q-(b)). Finally, by arranging the six processors in 
a circle as described above and shown in Figure 0(c) i this particular adversary 
strategy is simulated with respect to every pair and 

The new system involves two processors of the type corresponding to the 
sender, namely, ttq and and these are the only processors that enter an 
input. Let now ttq and 713 be initialized with different inputs, i.e., let’s assume 
that 7 To has input vq G {0, 1} and that has input V3 = 1 — uofl We now show 
that there are at least two pairs of adjacent processors in the new system, i.e., 
one third among all six such pairs, for which the broadcast conditions are not 
satisfied despite being completely consistent with two correct processors in the 
original system. 

First, suppose that agreement holds with respect to every pair on, wlog, 
the value vg. Then the validity condition is violated with respect to both pairs 
involving processor 7 T 3 since V 3 ^ vq . On the other hand, suppose that the 
agreement condition is violated with respect to at least one pair. Then there 
must exist at least two such pairs because the processors are arranged in a 
circle. 

Hence, on inputs vg G {0, 1} and V3 = 1 — uq , there must be some pair of 
adjacent processors (o;,/3) = (7ri,7T(j_|_i)mod6) that fails with a probability of at 
least Otherwise, strictly less than two pairs would fail per such invocation 
of the new system. The view of pair {a, (3) is consistent with the view of the 
pair (ag^Po) = (tt^, 7 T(j_|_ 3 ) ^ 0 ^ 3 ) in the original system for one of the cases where 
the sender inputs either uq = 0 or uq = 1. Let Pro be the probability that the 
sender selects input 0 in the original system. Then, in the original system, the 
adversary can force the pair (ag,Pg) to be inconsistent with a probability of 
at least | min(Pro, 1 — Pro), which is non-negligible, since Pro and 1 — Pro are 
non-negligible by assumption. □ 

Theorem 1. Let n > 3. For any primitive § 2 , unconditionally secure broadcast 
is not possible ift> |"n/3]. 

Proof. Assume that there is an unconditionally secure broadcast protocol 77 for 
n > 3 players and some t > [n/3] with arbitrarily small error probability e > 0. 
Then we can let three players pg, pi, and p 2 each simulate up to |"n/3] of the 
players in 77, with the sender in 77 being simulated by pg. Thus, this protocol 
among players {pg,Pi,P 2 } achieves broadcast (with sender pg) secure against 
one corrupted player because he simulates at most [n/3] of the players in 77, 
which is tolerated by assumption. Since this contradicts Lemma 0 the theorem 
follows. □ 

4 Primitives of Cardinality 3 

Evidently, a primitive 53(1,1] is equivalent to 52(1,1] since in 53 one of the 
players neither provides an input nor receives an output. Hence, in this section 

® We assume that any input value from {0, 1} will be selected by the sender with 
some non-negligible probability. Otherwise, the broadcast problem could be trivially 
solved for any t < n. 
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we consider primitives (of cardinality 3) of type different from [1,1]. In fact, it 
turns out that either two inputs (and single output) or two outputs (and single 
input) is sufficient. For each type we introduce a primitive and show it to be 
complete for t < nj^. Moreover, we show that no primitive of cardinality 3 can 
be complete for t > |"n/2] . 

It follows from IH±i89ICDD+9^ that pairwise secure channels and a global 
broadcast channel are sufficient for SFE secure against t < n/2 active corrup- 
tions. Hence, it is sufficient to show that the primitives introduced in this section 
imply both, unconditionally secure pairwise channels and global broadcast. 



4.1 g 3 [l,*j Primitives: Oblivious Cast 



Definition 4. Oblivious cast (OC3) is a primitive among three players: a sender 
s who sends a bit b G {0, 1} and two recipients rg and r\, such that the following 
conditions are satisfied: 

(1) The bit b is received by exactly one of the recipients, rg or r\, each with 
probability 1. 

(2) While both recipients learn who got the bit, the other recipient gets no 
information about b. In case there are other players (apart from s, rg and 
r\), they get no information about b. 

Implementing secure channels using oblivious cast. Secure pairwise channels can 
be achieved by the simulation of authentic channels and the implementation of a 
pairwise key-agreement protocol between every pair of players pi and pj . Players 
Pi and Pj can then use the key (e.g., a one-time pad) to encrypt the messages to 
be sent over the authentic channel. 

Lemma 2. Let n > 3. Then authentic channel reduces to oblivious cast for 
t < n/2. 

Proof (sketch). An authentic channel between players pi and pj can be achieved 
from oblivious cast among pi, pj, and some arbitrary third player p^ G P \ 
by Pi (or Pj) oblivious-casting his bit (or whole message) a times. Fi- 
nally, Pj decides on the first bit he has received in those oblivious casts. 

Since it is sufficient to achieve authentic channels only between pairs of cor- 
rect players we can assume that the sender is correct. The invocation of this 
channel fails if Pj does not receive any of the bits being sent by oblivious cast, 
and this happens with a probability of at most Pr““,(^ = 2“'^. □ 

In order to generate a one-time pad (OTP) Sij of one bit between two players 
Pi and Pj , we can let pi generate some m random bits bi, ... ,bm and oblivious- 
cast them to Pj and some arbitrary third player pk, where m is chosen such 
that, with overwhelming probability, pj receives at least one of those random 
bits (every bit bx is received by pj with probability |). Finally, pj uses his 
authentic channel to pi (Lemma E) to send to pi the index a; G {1 , . . . , m} of the 
first bit bx that pj received. Since pk gets no information about the bit, bit bx 
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can be used as an OTP-bit between pi and Pj . In order to get an OTP of length 
i > 1 this process can be repeated i timesO 

In order to guarantee that the transmission of a bit through the secure chan- 
nel thus obtained fails with an error probability of at most Pi'err = 2“°’, we can 
parameterize m and the security parameter for the invocations of the authentic 
channel, aauth, as follows: 

— Pr°°,, < — the probability that none of the m bits transmitted by 

oblivious cast is received by player pj. 

— Pr““,^^ < 2“'^“^ — the probability that at least one of the invocations of the 
authentic channel fails. 

So we can choose m = cr -I- 1. The number of invocations of the authentic 
channel is £ = [log m] + 1 ( [log m~\ for the transmission of index x plus one 
for the final transmission of the encrypted bit). Hence, (Jauth can be chosen as 
(^auth = cr-h [log£] -h 1. 

Lemma 3. Letn > 3. Then secure channel reduces to oblivious cast fort < nj2. 

Proof. From LemmaEland the discussion above it follows that the secure channel 
construction has an error probability of Pi'err < Pi'err^ + Pferr ^ 2“"^. □ 

Implementing broadcast using oblivious cast. It is shown in ITWi that a three- 
party primitive called weak 2- cast, defined below, yields global broadcast secure 
against t < n/2 active corruptions. Thus, it is sufficient to show that, using 
oblivious cast, an implementation of weak 2-cast in any set S G P, [S'! = 3, and 
for any selection of a sender among those players, is possible. We first recall the 
definition of weak 2-cast from |KMl)l)j . 

Definition 5. Weak 2-cast is a primitive among three players: one sender and 
two recipients. The sender sends an input bit b G {0, 1} and both recipients get 
an output (decision) value v G {0, 1,T} such that the following conditions hold: 

(1) If both recipients are correct and decide on different values, then one of 
them decides on T. 

(2) If the sender is correct, then all correct recipients decide on his input bit. 

The idea behind the implementation of weak 2-cast using oblivious cast is 
to have the sender repeatedly oblivious-cast his bit a given number of times. 
Hence, a recipient who receives two different bits reliably detects that the sender 
is faulty and may safely decide on T. On the other hand, in order to make the 
two recipients decide on different bits, a corrupted sender must oblivious-cast 
O’s and I’s in such a way that each recipient gets one value, but not the other 
one. However, since the sender cannot influence which of the recipients gets a 
bit, he can enforce this situation only with exponentially small probability. We 
now describe the implementation in more detail. 

® A more efficient way to generate an OTP of length £ is to choose a larger m and 
have Pj send to pi the indices of the first i bits he received. For simplicity we restrict 
ourselves to the less efficient but simpler method. 
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Protocol Weak-2-Cast-Impl-l(s, {ro,r-i}, cr): 

1. Sender s oblivious-casts his bit (cr + 1) times to the recipients. 

{ 0 if 0 received at least once, and no I’s; 

1 if 1 received at least once, and no O’s; 
_L otherwise. 

Lemma 4. Protocol Weak-2-Cast-Impl-l achieves weak 2-cast with an error 
probability of at most 2 “'^, by only using oblivious cast and local computation. 

Proof. If the sender is correct, the protocol can only fail if one of the recipients 
does not receive any bit from the sender, because the sender always transmits 
the same bit. This happens with probability Prem = 2““^. 

If the sender is incorrect, the protocol may fail only if he manages to make 
one of the recipients receive all O’s and make the other one receive all I’s. In 
order to achieve this, after having transmitted the first bit, the sender must 
correctly guess in advance the recipient of every subsequent bit. This happens 
with probability Pi'errs = 2 “'^. 

Hence, the error probability is Pi'e^r < niax(Pre,.ri , Pi'err 2 ) = 2“'^. □ 

Lemma 0 together with the reduction of broadcast to weak 2-cast in jKM00| 
(which does not require pairwise channels) immediately yield 
Lemma 5. Broadcast among n > 3 players reduces to oblivious cast fort < n/2. 
Lemmas 0 and El and the constructions of IR.B89ICDD+99I yield 

Theorem 2. Let n > 3. Then there is a single-input two-output primitive of 
cardinality 3, oblivious cast, that is complete for t < n/2. 

4.2 g 3 [*,l] Primitives: Converge Cast 

We now show that a cardinality-3 primitive with two inputs and a single output 
— i.e., the converse of oblivious cast (in several ways) — is also complete for 
t < n/2. Specifically, we introduce converge cast, a primitive related to the 
“anonymous channel” of defined as follows: 

Definition 6. Converge cast (CC 3 ) is a primitive among three players: two 
senders sq and si and one recipient r. The senders send a value Xi, i € {0, 1}, 
from a finite domain T>, \T>\ > 3, such that the following conditions hold: 

(1) The recipient r receives either xq or xi, each with probability 

(2) Neither sender learns the other sender’s input value, and none of the players 
learns which of the senders was successful. In case there are other players 
(apart from sq, Si and r), they get no information about the input values 
or the successful sender’s identity. 

As in the previous section, we show how to implement secure channels and 

? 

broadcast (weak 2-cast). We use “pi,Pj — >■ Pk '■ {xi, Xj)” to denote an invocation 
of converge cast with senders Pi and Pj sending values Xi and Xj, respectively, 
and recipient pk. Furthermore, for two sequences Sa and Sh of elements in {0, 1, 2} 
of same length, we use 'H{sa,Sh) to denote the Hamming distance (difference) 
between the sequences. 
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Implementing secure channels using converge cast. We now present a protocol 
to implement a secure channel from pq to pi for the transmission of one bit Xg- 
The idea is as follows: first, pi and some other player, say, p 2 , choose two random 
keys of an adequate length, one for 0 and for 1, and converge-cast them to pg. pg 
stores the two received keys (note that each received key may contain elements 
from both senders), using the corresponding key as input to a converge cast with 
Pi as the recipient to communicate the desired bit. 

Protocol Secure-Channel-Impl-2(po, Pi, £)■ 

1. Player pi, i = 1, 2, computes random keys and of length £ over {0, 1, 2} 

2. pi,P 2 —^po- {s^i\ 3 ^ 2 '')', (element-wise) (po receives Sq°^;Sq^^) 

3. po,P 2 Pi- (so^°\*) (element-wise) (pi receives s() 

4. pi: if "H(s'i,s®) < then yi = 0, else j/i = 1 fi 

The proof of the following lemma follows from elementary probability, inde- 
pendently of P 2 ’s strategy: 

Lemma 6. Consider protocol Secure-Channel-Impl-2. If pg and pi are cor- 
rect, then for every k, k & {1, , 

(1) s'i[k] = with probability 

(2) = sj^ with probability 

Lemma 7. Let n > 3. Then secure channels reduces to converge cast for t < 
nj2. 

Proof. Consider protocol Secure-Chcinnels-Impl-2. First, it is easy to see that 
P 2 gets no information about bit Xg. We now show that the channel also pro- 
vides authenticity. The only ways the protocol can fail is that either a;o = 0 
and TL{s'i,s^i^) > (probability Pro), or that a:o = 1 and TL{s'i,s^i^) < 
(probability Pri). These probabilities can be estimated by Chernoff bounds: 

— Pro: By Lemma 0(1), s'i[k] = holds with probability Hence, Pro 

is the probability that out of £ trials with expected value |, at most ^l do 
match. We get Pro < = e~™. 

— Pri: By Lemma 02), s(^[fc] = holds with probability |. Hence, Pri is 

the probability that out of £ trials with expected value at least 1— ^ = ^£ 

do match. We get Pri < = e~™. 

Thus, the overall error probability is Pr““^^ < max(Pro,Pri) = e~™. □ 

Implementing broadcast using converge cast. We now show how weak 2-cast of 
a bit Xg from pg to pi and p 2 can be simulated using CC3 . Roughly, he protocol 
can be described as follows: First, pi and p 2 choose two random keys of an 
adequate length, one for 0 and for 1, and converge-cast them to pg. pg stores 
the two received (mixed) keys, pg then sends his input bit to pi and P 2 using 
secure channels. Additionally, pg sends to pi the (received) key corresponding 
to his input bit. This key can then be used by pi to “prove” to p 2 which value 
he received from pg. If things “look” consistent to p 2 (see protocol below), he 



92 



M. Fitzi et al. 



adopts this value; otherwise, he outputs the value received directly from po- 

Let “pi — >■ pj” denote the secure channel from pi to pj (by means of protocol 
Secure-Channels-Impl-2). 

Protocol Weak-2-Cast-Impl-2(po, {pi,P 2 }, 



1 . 

2 . 

3. 

4. 

5. 

6 . 
7. 



Player pi, i — 1,2, computes random keys and 
Pi,P 2 — >■ po: (element-wise) 

po -U Pi (i = 1, 2): xo e {0, 1} 

Po — ^ pi: 

Pi: if then yi = Xi, else yi — 1 . fi 

Pi —S' P2-. pi; si 

P2-. if (p 2 =-L) V (pi{s'2,s^p'') > then p 2 = X2 fi 



of length 2£ over {0, 1, 2} 
(po receives Sq°^;Sq^^) 
(pi receives Xi £ {0, 1}) 
(pi receives s() 

(p 2 receives y 2 \ s' 2 ) 



Lemma 8. Let n > 3. Then weak 2-cast reduces to converge cast for t < n/2. 
The proof appears in Section El 

As before, Lemmas □ and El and the constructions of IH.B89ICPn-l-99IFMnn) 
yield 

Theorem 3. Let n > 3. Then there is a two-input single-output primitive of 
cardinality 3, converge cast, that is complete for t < n/2. 

We note that allowing the inputs of converge cast to be from a larger domain 
(than {0, 1,2}) considerably improves the efficiency of our reductions. 



4.3 Impossibility of t > }n/2] for g 3 

We now show that no primitive of cardinality 3 can be complete with respect 
to half resiliency. We do so by generalizing the impossibility proof in |FM00| 
for broadcast with t > [n/2] using primitive 2-Cast, to arbitrary primitives of 
cardinality 3. 

Theorem 4. Let n > 4. For any primitive g^, unconditionally secure broadcast 
is not possible ift> [n/2]. 

Proof (sketch). Lmpossibility for n = 4 and t = 2: Suppose that there are four 
processors (with local programs) that achieve broadcast for t = 2. Again, we 
build a new system with the four processors and one copy of each, arranged in 
a circle. Analogously to Lemma □ the 3-player primitives can be reconnected 
such that the view of any two adjacent processors is indistinguishable from their 
view in the original system (i.e., they can be reconnected in the same way as 
in the proof in fEHODI), and by assigning different inputs to the sender and its 
copy we get the same kind of contradiction. 

Impossibility for n > 4 and t > \n/2~\: Suppose now that there are n pro- 
cessors and we want to achieve broadcast with t > [n/2]. The processors are 
partitioned into four sets and each set is duplicated. Instead of reconnecting 
single processors, the connections between different sets are reconnected so that 
the common view of all the processors in two adjacent sets is indistinguishable 
from their view in the original system, and we get a contradiction along the lines 

of EMna. □ 
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5 Primitives of Full Cardinality 

In this section, we first show that even cardinality n does not help if the primitive 
is restricted, in the sense of having either a single input or a single output. Such 
a primitive is no more powerful than a primitive of cardinality 3 (Section 0). We 
then introduce a new primitive of type [n,n], the universal black box (UBB„), 
which allows for arbitrary resiliency (t < n). The UBB„ has an interesting 
application to computations involving a trusted third party: its functionality 
enables oblivious trusted third parties, that is, trusted parties which do not 
require any prior knowledge of the function to be computed by the players. 
Finally, we show that full cardinality is necessary to achieve arbitrary resiliency. 
We start with the impossibility results for restricted primitives. 



5.1 gn[l 5 *] and gn[*jl] Primitives 

Theorem 5. There is no *] primitive complete for t > \n/2\ . 

Proof (sketch). Assume that a particular primitive g„[l,=t=] is complete for t > 
[n/2], and consider two players, p and q, who want to compute the logical OR 
of their input bits. We can have both players each simulate up to |"n/2] of the 
players involved in the complete primitive (in such a way that every original 
player is simulated either by p or q) which allows them to securely compute the 
OR function. Since there is only one input to g„ (to be given either by p or 
by q), there must be a first invocation of the primitive that reveals some input 
information to the other player. This is a contradiction to fBOW88] . where it is 
shown that no player may reveal any information about his input to the other 
player unless he knows that the other player’s input is 0. □ 

Theorem 6. There is no gn[*-, 1] primitive complete for t > \n/2\ . 

Proof (sketch). The proof is again by contradiction. Suppose that there is a 
primitive of type [*, 1] that is complete for t > \ri/2\. We can have two players 
p and q each simulate up to |"n/2] of the players involved in this primitive which 
allows them to securely compute any function on their inputs. Thus, there is 
a two-player primitive with a single output that is complete with respect to 
any computation where both players learn the same result. This is a direct 
contradiction to the “one-sidedness” observation in |BMM99j that a protocol 
based on an asymmetric two-player primitive cannot guarantee that both players 
learn the result. □ 



5.2 g„[n, n] Primitives: The Universal Black Box 

We now introduce the universal black box (UBB„), a complete primitive for 
t < n. At first, it might seem trivial to build a complete primitive for arbitrary 
t by just implementing the functionality of a trusted party. However, computa- 
tions by trusted parties are generally based on the fact that the trusted party 
already knows the function to be computed. But since the primitive must be 
universally applicable, it cannot have any prior information about what is to 
be computed, i.e., what step of what computation is to be executed. Hence, the 
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specification of the computation step to be performed by the black box must 
be entered by the players at every invocation of the black box. Although there 
seems to be no apparent solution to this problem since a dishonest majority 
might always overrule the honest players’ specification, we now describe how the 
UBB„ effectively overcomes this problem. 

For simplicity, we first assume that exactly one function is to be computed on 
the inputs of all players, and that exactly one player, pq, is to learn the result of 
the computation. The more general cases (multiple functions, multiple/different 
outputs) can be obtained by simple extensions to this case. 

The main idea behind the UBB„ is simple: It contains a universal cir- 
cuit IW7H1 . and has two inputs per involved player, 

— the function input, wherein the player specifies the function to be computed 
on all argument inputs, and 

— the argument input, where the player inputs his argument to the function. 
The UBB„ now computes the function specified by player po, but for every 

player that does not input the same function as poi it replaces his argument input 
by some fixed default value. Finally, the function is computed by evaluating the 
universal circuit on pg’s function and all argument inputs, and its output is 
sent to player po. Note that only one invocation of the UBB„ is required per 
computation. 

Theorem 7. The universal black box is a complete primitive for t < n. 

Proof (sketch). We show that privacy and correctness hold for arbitrary t. 
Privacy: Trivially, no pi ^ po learns anything. On the other hand, po's output 
can give information about player pfs argument input only if pi entered the 
same function input as po (which means that pi had “agreed” on exactly this 
computation). Hence, po would get the same information about pfs argument 
as in an ideal process involving a trusted party. If pq is corrupted and inputs a 
wrong function input, no argument from a correct player will be used for this 
computation. 

Correctness: The function to be computed is selected by po- Hence, if he’s correct, 
the UBB„ does compute the desired function. Corrupted players that input a 
different function only achieve that their input be replaced by a default value 

— a strategy that is also (easily) achievable in an ideal process by selecting the 

default argument. □ 

Corollary 1. [Oblivious TTPs] Computations involving a trusted third party 
do not require the trusted party to have any prior knowledge of the task to be 
completed by the players. 

The single-output version of a UBB„ can be generalized to a multi-output 
UBB„ by the following modification. The function input specifies n functions to 
be computed on the inputs — one function per player. The function fi to be 
computed and output to player pi is determined by player pi himself, and for 
the computation of fi the argument inputs of only those players are considered 
by the UBB„ who agree on the same n functions /i, ...,/„ to be computed with 
respect to the n players, i.e., whose function inputs match with the function 
input of Pi . 
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Finally, we show that full cardinality is necessary in order to achieve arbitrary 
resiliency (proof in Section E} : 

Theorem 8. For k < n, there is no primitive gk complete for t < n. 

Moreover, there is strong evidence that even a primitive of the most powerful 
category for cardinalities k < n, i.e., a gn-i[n— l,n— 1], cannot be complete for 
t > |"n./2], but we have no formal proof for it. 

Conjecture 1. For k < n, there is no primitive gk complete for t> \n/2\. 



6 Summary and Open Problems 

Originally (Section EJ, we assumed that one primitive instance was available for 
every permutation of every /c-tuple of players, i.e., {^k\ instances. In contrast, 
it follows from Proposition d and from the constructions for the proofs of The- 
orems I3i and 0 that there is always a minimal complete primitive such that 
at most 3(g) instances of the primitive are required for the computation of any 
function. 

Corollary 2. For each cardinality k, 2 < k < n, and each primitive type, there 
is a complete primitive such that at most 3(g) instances are sufficient for un- 
conditional SFE. 

In this paper we have put forward the concept of minimal cardinality of 
primitives that are complete for SFE. Since this is a new line of research, several 
questions remain open. 

We completely characterized the cases of types [1,1], [1,A:], and [fc, 1], for 
all cardinalities fc < n. In particular, for t < n/3 there is a complete primitive 
SC 2 [ 1 , 1 ] and no 52 can do any better; and, for t < n/2, there are complete 
primitives OC 3 [l, 2] and CC3[2, 1] and no gk, k < n, can do any better. For the 
case of type [k,k] it remains to prove Conjecture 0 that no gn-i[n — l,n — 1] 
is complete for t > |"n/2]. This would partition the whole hierarchy into three 
equivalence classes of cardinalities k = 2 {t < n/3), 2 < k < n {t < n/2), and 
k = n (t < n). 

It would also be interesting to analyze the completeness of primitives as 
a function of the size of the input and output domains. For example, if the 
primitive CC 3 were restricted to one single input bit per player and one single 
output bit, it would not be complete for t < n/2. Also the completeness of the 
UBB„ for t < n relies on the fact that inputs of large size are allowed. 

Acknowledgements. We thank the anonymous referees for their valuable com- 
ments. The work of Matthias Fitzi was partly done while visiting Bell Labs. 
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A Proofs 

We repeat the statements here for convenience. 

Lemma 13 Let n > 3. Then weak 2-east reduees to eonverge east for t < n/2. 

In the proof we will be using the following two lemmas. Their validity follows 
from elementary probability. 

Lemma 9. The probability that in protocol Weak-2-Cast-Impl-2 po receives at 
least 1^ elements of and at most elements of or vice versa, is 

I 

Pri < 2e 125 . 

Lemma 10. Given is a set of pairs S = {{xi,yi), . . . , {xm,ym)} with elements 
Xi,Vi C {0,1)2}. If at least all elements Xi or all elements yi are selected uni- 
formly at random from {0, 1,2}, then the following holds: 

(1) If [S'! > |£, then the probability that there are or less indices i such 

£ 

that Xi = yi is Pr2 < e“ roo . 

(2) If l^l < l£, then the probability that there are or more indices i such 

£ 

that Xi = yi is Pr3 < e“ 255 . 

Proof of Lemma 0 Consider protocol Weak-2-Cast-Impl-2. Let us ne- 
glect the error probabilities of the secure channel invocations (protocol 
Secure-Channels-Impl-2) until the end of the proof. Assume that po receives 
at least elements from each of the players’ key during step 2 (by Lemma|S| this 
happens with probability at least 1 — Pri). Since the conditions for weak 2-cast 
are trivially satisfied if more than one player is corrupted, we can distinguish 
three cases. 

• All players correct or at most p 2 corrupted. The only way the protocol can 

fail is if Pi decides on T {'H{s'i, > |^); i.e., that at most |£ elements of 

match with pi’s key. We assume that po receives at least k > l£ elements of pi’s 
key during step 2, fc = in the worst case. Hence, of all other 2i — 
elements (i.e., the elements of originating fromp2), at most |£ — = ^£ are 

7 

identical to the element that pi chose for the same invocation of “pi,P2 Po”- 
By Lemmas El and ED this happens with probability Pi'4 < Pi'i -|-Pr2 < Ses™. 

• Pi corrupted. In order to achieve that p2 decides on a wrong output it must 
hold that y 2 = 1 — xo and H{s 2 ,s‘^^^) < \£ before step 7; i.e., that at least 
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elements of s'2 match p2’s key. But since pi does not learn anything about 

the elements in he must guess | or more of those 2 i elements correctly — 
otherwise p2 would decide on Xq ■ This probability can be estimated by Chernoff 
bounds { 2 i trials with expected value and we get Prs < e“2S8. (In fact, this 
holds independently of the assumption at the beginning of the proof.) 

• po corrupted. Since p\ and p2 are correct, the following equalities hold before 
step 7 : s'i = s'2 s' and X\ = yi = j/2 V- In order to achieve that pi and P2 
decide on different bits po must select X2 = 7 —y and achieve that Tiis' , s^^^) < 
and ?{(s', S2^^) > ^£; i.e., po must prepare s' such that at least elements still 
match Pi’s key but at most \l elements match p2’s key. Given that the CC3 

statistics are good (which happens with probability 1 — Pri; see above) 
contains at most |£ elements originating from player pi and at least elements 
originating from player p2 . In the sequel we assume that these quantities exactly 
hold, which constitutes the best case for po to succeed (maximal number of 
matches with pi’s key and minimal number for P2’s). 

Suppose now that s' is selected such that h = 'H{s',s^q^) > \i. We show 
that then ?^(s',Si^^) < cannot be achieved almost certainly. By Lemma Uni 
with probability 1 — Pi'3, there are at most elements in s' that match s^^f' 

f-y) 

at positions where the corresponding element of Sq ^ was actually received from 
P2- Hence at least x > (2 — |)£ — = ^£ elements of s' must match at 

positions where the corresponding element was actually received from pi; i.e., 
of the h > j£ differences between s' and s^\ at most y = |£ — a; < ^£ may 
be made up at positions where the corresponding element was received from 
Pi . The probability of this event can be estimated by Hoeffding bounds |Ghv79| 
(Hypergeometric distribution; N = 2 £ elements, n = trials, K = ^£ “good” 
elements, less than k = ^£ hits), and we get Pr^ < e“A. 

Suppose now that s' is selected such that h = "H(s',Sq^^) < |£. We show 
that then 'H{s',s^^) > cannot be achieved almost certainly. By Lemma [Ell 
with probability 1 — Pr2, there are at least elements in s' that match s^'^ 
at positions where the corresponding element of Sq was actually received from 
pi. Hence at most cc < (2 — |)£ — = ^£ elements of s' may match s^'^ at 

positions where the corresponding element was actually received from p2 ; in other 
words, of the h < ^£ differences between s' and at least y = '^£ — x > ^£ 
must be made up at positions where the corresponding element was received 
from p2 . The probability of this event can be estimated by the Hoeffding bound 
(hypergeometric distribution; N = 2 £ elements, n = ^£ trials, K = ~^£ “good” 
elements, more than k = hits), giving Pr^ < e~^ . 

Hence, when po is corrupted, we get an error probability of at most Prg < 
Pri+max(Pra + Pr3,Prt, + Pr2) < desro. 

Since the error probability of protocol Secure-Channels-Impl-2 can be 
made negligibly small, it can be parameterized such that the overall probability 
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that at least one invocation fails satisfies Prsc < e“ 3 oo. Thus, the overall error 
probability of the weak 2 -cast construction is at most 

Pferr < Pi'sc + max(Pr 4 , Pi' 5 , Prg) < 5 e“ 3 ro . 

For security parameter a, we let £ > 300(cr-|- |"ln5]), and hence Fverr < e“'^. □ 

Theorem El For k < n, there is no primitive gk complete for t < n. 

Proof (sketch). Consider a UBB of cardinality k = n — 1. Since it is complete for 
any computation among n —1 players, it can securely simulate the functionality 
of any fc-player primitive with k < n; i.e., the existence of any /c-player primitive 
{k < n) complete for t < n would imply that the UBB„_i is also complete. 
Hence it is sufficient to show that there is no complete (n — l)-player primitive 
for t < n. 

Suppose, for the sake of contradiction, that there is an (n — l)-player black 
box BB„_i such that broadcast among the n players po, ■ ■ ■ ,Pn-i is reducible to 
BB„_i for t < n — and hence also for t = n — 2, i.e., in the presence of exactly 
two correct players0 Let ttq, . . . , T^n-i denote the players’ processors with their 
local programs and, for each i G { 0 , ... ,n — 1 } let 7 Ti+„ be an identical copy 
of processor tt^. For every processor tt^, k G {0, . . . ,2n — 1}, let the number (fc 
mod n) be called the type of pk- Similarly to the proof of Lemmas we now build 
a new system involving all 2n processors but, instead of reconnecting them with 
pairwise channels, the instances of BB„_i have to be reconnected in such a way 
that, again, for each pair of adjacent processors, and T^[i+i)niod 2 n-i their view 
in the new system is indistinguishable from their view in the original system, 
for some particular strategy of an adversary corrupting all the remaining n — 2 
processors. 

In order to guarantee that the view of every processor pair tt; and mod 2 n 

is consistent with their view in the original system, the following two conditions 
must be satisfied: 

1. For every processor tt^, i G {0, . . . , 2n — 1}, and for every selection of n — 2 
processors of types different from (imodn), shares exactly one BB„_i 
with these processors (as it does in the original system). 

2. If processor tt^, i G {0 , . . . ,2n — I}, shares an instance of BB„_i with a 
processor of type 7T(i±i)modn (i-e., an adjacent type in the original system), 
then it shares it with the concrete processor {i±\) raod 2 n (i-e., its adjacent 
processor of this type in the new system) . 

This can be achieved by applying the following rule for every processor TTj, 
i G {0, . . . , 2n — 1}. For each <5, 5 = 1, . . . , n — 1, there is a BB„_i that 
originally connects TTimodn with all other processors but 7 T(j_|_, 5 ) modn- For every 
such 5, exactly one BB„_i now connects with processors mod 2 n 7 ■•■i 

'^(i+ 5 —i) mod 2 n find mod 2 nj • ■ • 7 '^(i— n-i-( 5 +i) mod 2 n ■ This principle is depicted 

in Figure 0for the special case of n = 4 and BB 3 . 

^ Since, by definition, broadcast is trivial if strictly less than two players are correct, 
this is the non-trivial case that involves the least number of correct players. 
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Fig. 2. Reconnection of processors in the proof of Theorem 0 special case n = 4. 



Now the proof proceeds as the proof of Lemmas by assigning different input 
values to both sender processors, and concluding that the broadcast conditions 
are not satisfied with respect to at least 2 of the 2n pairs of adjacent processors. 
This contradicts the assumption that broadcast is possible with an arbitrarily 
small error probability. □ 
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Abstract. We present a very efficient multi-party computation proto- 
col unconditionally secure against an active adversary. The security is 
maximal, i.e., active corruption of up to t < n/3 of the n players is tol- 
erated. The communication complexity for securely evaluating a circuit 
with m multiplication gates over a finite field is 0{mn^) field elements, 
including the communication required for simulating broadcast, but ex- 
cluding some overhead costs (independent of m) for sharing the inputs 
and reconstructing the outputs. This corresponds to the complexity of 
the best known protocols for the passive model, where the corrupted 
players are guaranteed not to deviate from the protocol. The complexity 
of our protocol may well be optimal. The constant overhead factor for 
robustness is small and the protocol is practical. 



1 Introduction 

I. 1 Secure Multi-party Computation 

Secure multi-party computation (MFC), as introduced by Yao HaoHH, allows 
a set of n players to compute an arbitrary agreed function of their private in- 
puts, even if an adversary may corrupt up to t arbitrary players. Almost any 
distributed cryptographic protocol can be seen as a multi-party computation, 
and can be realized with a general MFC protocol. Multi-party computation 
protocols are an important building block for reducing the required trust and 
building secure distributed systems. While currently special-purpose protocols 
(e.g., for collective signing) are considered practical, this paper suggests also that 
general-purpose protocols may well be practical for realistic applications. 

Two different notions of corruption are usually considered. A passive (or cu- 
rious) adversary may only read the information stored by the corrupted players, 
without controlling the player’s behavior. Hence only privacy of the inputs is an 
issue to consider, but not the correctness of the result. In contrast, an active 
adversary can take full control of the corrupted players. Assuring not only the 
privacy of the inputs, but also the correctness of the outputs (robustness) ap- 
pears to entail a substantial overhead. For instance, all known protocols make 
(usually heavy) use of a broadcast sub-protocol for which the optimal known 
communication complexity is O(n^). 

J. Kilian (Ed.): CRYPTO 2001, LNCS 2139, pp. lOI- Tm 2001. 
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We briefly review the classical results on secure MPC. Goldreich, Micali, and 
Wigderson |(1MW87] presented a protocol, based on cryptographic intractability 
assumptions, which allows n players to securely compute an arbitrary function 
even if an active adversary corrupts any t < u/2 of the players. In the secure- 
channels model, where bilateral secure channels between every pair of players 
are assumed, Ben-Or, Goldwasser, and Wigderson |BGW88| and independently 
Ghaum, Grepeau, and Damgard |GGD88| proved that unconditional security is 
possible if at most t < n/3 of the players are corrupted. In a model where 
additionally physical broadcast channels are available, unconditio nal securit y is 
achievable if at most t < n/2 players are corrupted !bB8fllReafl1biGniW99IJ . 



1.2 Previous Work on Efficiency 



In the past, both the round complexity and the communication complexity of 
secure multi-party protocol were subject to many investigations: Protocols with 
low round complexity |BB89IBPK1{,9()IPK1N iMIIK()()| suffer either from an un- 
acceptably high communication complexity (even quadratic in the number of 
multiplication gates), or tolerate only a very small number of cheaters. 

First steps towards better communication complexity were taken by Franklin 
and Yung pFY92) and Gennaro, Rabin, and Rabin |GI{R,98| . where first a private 
but non-resilient computation is performed (for the whole protocol in |FY!I2] . 
and for a segment of the protocol in jGH,H,98j ). and only in case of faults the 
computation is repeated with a slow but resilient protocol. Although this ap- 
proach can improve the best-case complexity of the protocol (when no adver- 
sary is present), it cannot speed up the protocol in the presence of a malicious 
adversary: a single corrupted player can persistently enforce the robust but slow 
execution, annihilating any efficiency gain. 

Recently, Hirt, Maurer, and Przydatek jHMPOOj proposed a new protocol for 
perfectly secure multi-party computation with considerably better communica- 
tion complexity than previous protocols: A set of n players can compute any 
function (over a finite held F) which is specified as a circuit with m multipli- 
cation gates (and any number of linear gates) by communicating 0{mnP) held 
elements, contrasting the previously best complexity of 0{mnP). Subsequently, 
the same complexity was achieved by Gramer, Damgard, and Nielsen | ICDN()1| 
in the cryptographic model (where more cheaters can be tolerated). 



1.3 Contributions 

The main open question in this line of research was whether security against 
active cheaters can be achieved with the same communication complexity as 
security against passive cheaters, namely with 0{mn^). For sufficiently large 
circuits, we answer this question in the affirmative: The only (and unavoidable) 
price for robustness is a reduction in the number of tolerable cheaters (t < n/3 
instead of t < n/2). The computation complexity of the new protocol is on the 
order of the communication complexity and hence not relevant. The achieved 
communication complexity of 0{mn?) may well be optimal as even in the passive 
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model, it appears very difficult to avoid that for each multiplication gate, every 
player sends a value to every other player. 

The new protocol uses Beaver’s circuit-randomization technique IBea91a^ and 
the player-elimination framework from IHMPOOI . 

2 Model 



We consider the well-known secure-channels model as introduced in Enm 
Enm-. The set V — {Pi, . . . , P„} of n players is connected by bilateral syn- 
chronous reliable secure channels. Broadcast channels are not assumed to be 
available. The goal of the protocol is to compute an agreed function, specified 
as an arithmetic circuit over a finite field F with |F| > n. The number of multi- 
plication gates in the circuit is denoted by m. To each player Pi a unique public 
value G F \ {0} is assigned. The computation of the function is secure with 
respect to a computationally unbounded active adversary that is allowed to cor- 
rupt up to t of the players, where t is a given threshold with t < n/3. Once a 
player is corrupted, the adversary can read all his information and can make the 
player misbehave arbitrarily. We consider both static and adaptive adversaries, 
and distinguish both cases in the analysis whenever necessary. The security of 
our protocol is unconditional with an arbitrarily small probability of error. More 
precisely, there is an event that occurs with negligible probability, and as long 
as this event does not occur, the security of the protocol is perfect. 



3 Protocol Overview 



The protocol proceeds in two phases: In a preparation phase, which could ac- 
tually be performed as a pre-computation independent of the circuit (except 
an upper bound on the number m of multiplication gates must be known), m 
random triples (for i = 1, . . . ,m) with = a^®^6*^®^ are t-shared 

among the players. In the computation phase, the circuit is evaluated gate by 
gate, where for each multiplication gate one shared triple from the preparation 
phase is used Ikieafiial . 

In the preparation phase, the triples are generated in a very efficient but 
non-robust manner (essentially with techniques from the passive protocol of 
[IB(IW88] V The generation is divided into blocks, and after each block, the con- 
sistency of all triples in this block is verified in a single verification procedure. If 
a block contains inconsistent triples, this is detected with overwhelming proba- 
bility, and a set of two players that accuse each other of cheating is identified and 
eliminated from the protocol execution. The triples from the erroneous block are 
of course not used. At the end of the preparation phase, we have m triples that 
are t-shared among the set V oi remaining players, and it will be guaran- 
teed that the number t' of corrupted players in V' is smaller than {\P'\ — t)/2, 
which is sufficient for evaluating the circuit. 
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In the computation stage, for every multiplication one random triple is re- 
quired. Two linear combinations of the values in this triple must be recon- 
structed. Therefore, it is important that all triples are shared with the same 
degree t (for privacy), and that 2t' < \V\ — t (for reconstructibility) . 

The fault-localization procedure of the preparation phase is rather involved 
because it identifies a set of two players, one of whom is corrupted, whereas 
finding such a set of three players would be easy. However, eliminating a set of 
three players would violate the condition 2t' < n' — t, and the t-shared triples 
would be useless. 

As the underlying secret-sharing scheme we use the scheme of Shamir a zni, 

like in most threshold protocols: In order to t-share a value s, the dealer selects 
a random polynomial / of degree at most t with /(O) = s, and hands the share 
Si = /(o^i) to player Pi for i = l,...,n. Selecting a random polynomial of 
degree at most t means to select t random coefficients ai, . . . ,at G ¥ and to set 
f{x) = s -I- aix -I- ... -I- atx*. We say that a value s is t-shared among the players 
if there exists a polynomial f{x) of degree at most t such that /(O) = s and the 
share Si held by player Pi satisfies Si = /(a^) for i = 1, . . . ,n. Such a t-shared 
value can be efficiently reconstructed by a set V CP oi players, as long as less 
than {\V'\ — t)/2 of them misbehave (e.g., see fHWHtij ). 

4 Preparation Phase 

4.1 Overview 

The goal of this phase is to generate m t-shared random triples ) 

with in such a way that the adversary obtains no information about 

and (except that is the product of and The genera- 
tion of these triples makes extensive use of the player-elimination framework of 
IIHMPOOl : 

The triples are generated in blocks of £ = |"m/n] triples. The triples of a 
block are generated (in parallel) in a non-robust manner; only at the end of 
the block, consistency is checked jointly for all triples of the block in a single 
verification procedure (fault detection). In case of an inconsistency, a set T> QV 
of two players, at least one of whom is corrupted, is identified (fault localization) 
and excluded from further computations (player elimination). The triples of the 
failed block are discarded. Player elimination ensures that at most t blocks fail, 
and hence in total at most (n + t) blocks must be processed. 

More precisely, the consistency verification takes place in two steps. In the 
first step (fault detection I), the degree of all involved sharings is verified. In 
other words, the players jointly verify that all sharings produced for generating 
the triples are of appropriate degree. The second verification step (fault detec- 
tion II) is performed only if the first verification step is successful. Here, the 
players jointly verify that for every triple every player shared the 

correct values such that If a fault is detected (in either fault- 

detection step), then all triples in the actual block are discarded. Furthermore, a 
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set T> CP of two players, one of whom is corrupted, is found (fault localization I, 
resp. fault localization II) and eliminated from further computations. Note that 
in the fault-localization procedure, the privacy of the triples is not maintained. 
The triples contain completely random values unrelated to all values of the actual 
computation. 

Both verification steps use n “blinding triples”, and the privacy of these 
triples is annihilated in the verification procedure. Therefore, in each block, 
i + 2n triples are generated. The first verification step verifies the degree of all 
sharings of the first i + n triples, using (and destroying) the remaining n triples 
for blinding. The second verification step verifies the first i triples, using the 
remaining n triples for blinding. Note that the second verification step requires 
that the sharings of all £ -|- n involved triples are verified to be correct. 

During the generation of the blocks, players can be eliminated. At a given 
step, we denote the current set of players by V' , the current number of players 
by n' = \P'\, and the maximum number of cheaters in V by t' . Without loss 
of generality, we assume that V' = {Pi, . . . ,Pn'}. During the computation, the 
inequality 2t’ < n' — t will hold as an invariant. In the beginning, V = V,n' = n, 
and t' = t, and trivially 2t' < n' — t is satisfied. In player elimination, n' will be 
decreased by 2, and t' by 1. Clearly, this preserves the invariant. 

0. Set V = V,n' = n, and t' = t. 

1. Repeat until n blocks (i.e., n£> m triples) succeeded: 

1.1 Generate £ + 2n' triples (in parallel) in a non-robust manner ISect. PT^ . 

1.2 Verify the consistency of all sharings involved in the first £ + n' triples 
(fault detection I, Sect, u.bll . If a fault is detected, identify a set P C P' 
of two players such that at least one player in P is a cheater, and set V 
to V' \ D, n! to n' — 2 and t' to t' — 1 (fault localization I). 

1.3 If no fault was detected in Step 1.2, then verify that in the first £ triples, 
every player shared the correct values (fault detection II, Sect. U.4il . If 
a fault is detected, identify a set P C V' of two players, at least one of 
whom is corrupted, and set V' to V \ D, n' to n' — 2 and t' to t' — 1 
(fault localization II). 

1.4 If both verification steps were successful, then the generation of the block 
was successful, and the first £ triples can be used. If either verification 
procedure failed, then all triples of the actual block are discarded. 

4.2 Generate One t-Shared Triple (a, b, c) 

The purpose of this protocol is to generate one t-shared triple {a,b,c), where 
c = ab. The generation of this triple is non-robust: verification will take place only 
at the end of the block. In particular, in order to share a value, the dealer simply 
computes the shares and sends them to the players; the consistency verification 
of the sent shares is delayed. 

The generation of the triple is straight-forward: First, the players jointly 
generate t'-sharings of two random values a and b. This is achieved by having 
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every player share two random values, one for a and one for b, which are then 
summed up. Then, a t'-sharing of c = is computed along the lines of |lj(lW88l 
Klf{l{98| (passive model): Every player computes the product of his share of a 
and his share of b. These product shares define a 2t'-sharing of c, and c can 
be computed by Lagrange interpolation. This interpolation is a linear function 
on the product shares. Hence, a t'-sharing of c can be computed as a linear 
combination of t'-sharings of the product shares. Finally, the degrees of the 
sharings of a, b, and c must be increased from t' to t. In order to do so, the 
players jointly generate three random sharings of 0, each with degree t, and 
add one of them to the t'-sharings of a, b, and c, respectively. These random t- 
sharings of 0 are generated by first selecting a random t — 1-sharing of a random 
value, and then multiplying this polynomial by the monomial x. 

Note that the protocol for computing a sharing of c = relies on the fact 
that the degree of the sharings of a and b is less than one third of the number 
of actual players, and it would not work if a and b would be shared with degree 
t for St > n' . On the other hand, it is important that finally the sharings of all 
blocks have the same degree (otherwise the multiplication protocol of Section El 
would leak information about the factors), and t' can decrease from block to 
block. Therefore, first the triple is generated with degree t' , and then this degree 
is increased to t. 

Protocol “Generate” 

We give the exact protocol for generating one t-shared triple (a, 5, c): 

1. The players jointly generate t'-sharings of random values a and b: 

1.1 Every player Pi G V selects two random degree-t' polynomials fi{x) and 
gi{x), and hands the shares a,ij = fi{aj) and bij = gi{aj) to player Pj 
for j = 

1.2 The polynomial for sharing a is f{x) = (thus a = /(O)), and 

the polynomial for sharing b is g{x) = (thus b = ^(O)), and 

every player Pj G V computes his shares of a and b as 

n' n' 

= and 

i=l i=l 

2. The players jointly compute a t'-sharing of c = ab\ 

2.1 Every player Pi G V computes his product share e) = ai6i,_and shares 
it among the players with the random degree- polynomial hi{x) (with 
hi{Q) = Bi), i.e., sends the share 6^ = hi{aj) to player Pj for j = 
l,...,n'. 

2.2 Every player Pj computes his share Cj of c as 



= ^ w^Bij, where — 3 



2=1 



= 1 ^3 
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3. The players jointly increase the degree of the sharings of a, b, and c to t (this 
step is performed only if t' <t): 

3.1 Every player Pi G V selects three polynomials fi{x), gi{x), hi{x) of 
degree t — 1 at random, and sends the shares Oy = fi{aj), bij = gi{aj), 
and Cij = hi{aj) to player Pj for j = 1, . . . , n'. 

3.2 Every player Pj G V computes his t-shares Oj, bj, and Cj of a, b, and c, 
respectively, as follows: 

n' n' n' 

j ^3 ~ ^3 + ^3 J ^3 ~ ^3 + ^3 ’ 

i—1 2 = 1 2 = 1 



Analysis 

At the end of the block, two verifications will take place: First, it will be verified 
that the degree of all sharings is as required (t', respectively t — 1, Section lOll . 
Second, it will be verified thal^in Step 2.1, every player Pi indeed shares his 
correct product share (Section 14.411 . In the sequel, we analyze the 

security of the above protocol under the assumption that these two conditions 
are satisfied. 

After Step 1, obviously the assumption that the degree of all sharings is as 
required immediately implies that the resulting shares Si , . . . , S„' (respectively 
6i, . . . , 6n') lie on a polynomial of degree t' , and hence define a valid sharing. Fur- 
tjiermore, if at least one player in Pi G P' honestly selected random polynomials 
fi{x) and gi{x), then a and b are random and unknown to the adversary. 

In Step 2, we need the observation that c can be computed by Lagrange 
interpolation EMU: 

n' 

c = WiCi, where Wi 

i=l 

Assuming that every player Pi really shares his correct product share Si^ith a 
polynomial hi{x) of degree t' , it follows immediately that the polynomial h{x) = 
is also of degree t', and furthermore 

n' n' 

^(0) = X] ^ X ^ 

2=1 2=1 

The privacy is guaranteed because the adversary does not obtain information 
about more than t' shares of any polynomial hi{x^ (for any i = I, . . . , n'). 

Step 3 is only performed if t' < t. Assuming that the polynomials fi{x), gi{x), 
and hi{x) of every player Pi G P' have degree at most t—1, it immediately follows 
that all the polynomials defined as 

n' n' n' 

g{x) = '^g,{x), h{x) = '^h,{x) 

2=1 2=1 2 = 1 



n' 
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also all have degree at most t — 1. Hence, the polynomials xf{x), xg{x), and 
xh{x) have degree at most t, and they all share the secret 0. Thus, the sums 
f{x) + xf{x), g{x) + xg{x), and h{x) + xh{x) are of degree t and share a, b, and 
c, respectively. The privacy of the protocol is obvious for t' < t — 1. 

We briefly analyze the communication complexity of the above protocol: 
Every sharing requires n field elements to be sent, and in total there are 6n 
sharings, which results in a total of 6n^ field elements to be communicated per 
triple. 



4.3 Verification of the Degrees of All Sharings in a Block 

The goal of this fault-detection protocol is to verify the degree of the sharings 
of ^ -I- n' triples in a single step, using (and destroying) another n' triples. 

The basic idea of this protocol is to verify the degree of a random linear 
combination of the polynomials. More precisely, every player distributes a ran- 
dom challenge vector of length £ + n' with elements in F, and the corresponding 
linear combinations of each involved polynomial is reconstructed towards the 
challenging player, who then checks that the resulting polynomial is of appro- 
priate degree. In order to preserve the privacy of the involved polynomials, for 
each verifier one additional blinding polynomial of appropriate degree is added. 
If a verifier detects a fault (i.e., one of the linearly combined polynomials has 
too high degree), then the triples of the actual block are discarded, and in a 
fault-localization protocol, a set T> <ZV oi two players, at least one of whom is 
corrupted, is found and eliminated. 



Protocol “Fault-Detection I” 

The following steps for verifying the degree of all sharings in one block are 
performed in parallel, once for every verifier Py G V': 

1. The verifier Py selects a random vector [ri, . . . , with elements in F 

and sends it to each player Pj G V . 

2. Every player Pj computes and sends to Py the following corresponding 
linear combinations (plus the share of the blinding polynomial) for every 
i = 1, . . . , n': 



~(E) 



E 

fc=i 



Tka. 



(k) 



~(e+n'+v) 

% 



-(E) 

ah = 



£+n' 

E 



k=l 



-(£+n'+v) 




£+n' 

E 



(fc) 






j(£+n'+v) 

^ij 




£-\-n 

E 






j{£+n'+v) 



3 . 






£+n 

E 






'^£+n+v) 

Hj 




£+n' 

E 



k=l 



-(£+n'+v) 

O-ij 



Py verifies whether for each i = 1, . . . , n', the shares . . . , lie on a 
polynomial of degree at most t' . The same verification is performed for the 
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shares b\f \ , b\^} and for the shares cf^i\ . . . , for f = 1, . . . , n'. Fur- 

thermore, Py verifies whether for each i = 1, . . . ,n', the shares , • ■ • , 
lie on a polynomial of degree at most t—1. The same verification is performed 
for the shares ^ , • • • , b\^} and for the shares c-f ^ , . . . , for i = 1, . . . , n'. 

4. Finally, broadcasts (using an appropriate sub-protocol) one bit according 
to whether all the 6n' verified polynomials have degree at most t' , respec- 
tively t—1 (confirmation), or at least one polynomial has too high degree 
(complaint). 

Protocol “Fault-Localization I” 

This protocol is performed if and only if at least one verifier has broadcasts a 
complaint in Step 4 of the above fault-detection protocol. We denote with Py 
the verifier who has reported a fault. If there are several such verifiers, the one 
with the smallest index v is selected. 

5. The verifier Py selects one of the polynomials of too high degree and broad- 
casts the location of the fault, consisting of the index i and the “name” of 
the sharing (a, b, c, a, b, or c). Without loss of generality, we assume that 
the fault was observed in the sharing a\f\. . . 

6. The owner Pi of this sharing (i.e., the player who acted as dealer for this 
sharing) sends to the verifier Py the correct linearly combined polynomial 

P'{^) = ES' nP'M + 

7. Py finds the (smallest) index j such that (received from Pj in Step 2) 

does not lie on the polynomial (x) (received from the owner Pi in Step 6), 
and broadcasts j among the players in P' . 

8. Both Pi and Pj send the list \ to Py. 

9. Py verifies that the linear combination [ri, . . . applied to the values 

received from Pi is equal to f-^\aj). Otherwise, Py broadcasts the index 
i, and the set of players to be eliminated is 27 = {Pi,Py}. Analogously, Py 

'^(U) 

verifies the values received from P, to be consistent with a;, ' received in 
Step 2, and in case of failure broadcasts the index j, and V = {Pj,Py}. 

10. Py finds the (smallest) index k such that the values received from Pi 
and Pi differ, and broadcasts k and both values a)/ from Pi and a)/ from 

•7 ' ‘'J 

Pj- 

11. Both Pi and P, broadcast their value of a), . 

J LJ 

12. If the values broadcast by Pi and Pj differ, then the localized set is P = 
{Pi,Pj}. If the value broadcast by Pi differs from the value that P„ broadcast 
(and claimed to be the value received from Pi), then T> = {Pi,Py}. Else, 
V={P^,Py}. 

Analysis 

It follows from simple algebra that if all players are honest, then the above 
fault-detection protocol will always pass. On the other hand, if at least one of 
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the involved sharings (in any of the i+n' triples) has too high degree, then every 
honest verifier will detect this fault with probability at least 1 — 1/|F|. 

The correctness of the fault-localization protocol can be verified by inspec- 
tion. There is no privacy issue; the generated triples are discarded. 

The fault-detection protocol requires n{n{(. -I- n) -I- 6n^)= + Iv? field 

elements to be sent and n bits to be broadcast. For fault localization, up to 
n -I- 2{£ + n+l) = 2^+‘in + 2 field elements must be sent and 2 log n + log 6 -I- 
log(£ -I- n -I- 1) -I- 4 log |F| bits must be broadcast. 



4.4 Verification That All Players Share the Correct Product Shares 

It remains to verify that in each triple k = every player Pi shared the 

correct product share (Step 2.1 of protocol Generate). Since it is 

already verified that the sharings of all factor shares are of degree t' , it is sufficient 
to verify that the shares \ lie on a polynomial of degree at most 2t' . 

Note that the at least n' — t' > 2t' shares of the honest players uniquely define 
this polynomial. The key idea of this verification protocol is the same as in the 
previous verification protocol: Every verifier distributes a random challenge 
vector, and the corresponding linear combination of the polynomials (plus one 
blinding polynomial) is opened towards P„. If a fault is detected, then a set T> of 
two players (one of whom is corrupted) can be found with the fault-localization 
protocol. 



Protocol “Fault-Detection II” 

The following steps are performed for each verifier € V' in parallel. 

1. The verifier selects a random vector [ri, . . . ,r^] with elements in F and 
sends it to each player Pj G P'. 

2. Every player Pj computes and sends to Py the following linear combinations 
(with blinding) for every i = 1, . . . ,n': 









fc=i 






3. Py verifies whether for each i = 1, . . . ,n' the shares lie on a 

polynomial of degree at most t', and if so, whether the secrets 
of the above sharings (computed by interpolating the corresponding share- 
shares) lie on a polynomial of degree at most 2t'. Py broadcasts one bit 
according to whether all polynomials have appropriate degree (confirmation), 
or at least one polynomial has too high degree (complaint). 



Protocol “Fault-Localizatiou II” 

We denote with Py the verifier who has reported a fault in Step 3 of the above 
fault-detection protocol. If there are several such verifiers, the one with the 
smallest index v is selected. 
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4. If in Step 3, the degree of one of the second-level sharings ejf\ ■ ■ ■ was 
too high, then Py applies error-correction to find the smallest index j such 
that must be corrected. Since all sharings have been verified to have 

correct degree, Py can conclude that Pj has sent the wrong value . Py 
broadcasts the index j, and the set of players to be eliminated is T> = {Pj,Py} 
(and the following steps need not be performed). 



5. Every player Pi sends to Py all his factor shares a 

'fjW 5U+«) 



( 1 ) 



, a. 



(U ~U+«) 



and 



6. Py verifies for every k = 1, . . . ,£,£+v whether the shares , • ■ • , lie on a 
polynomial of degree t' . If not, then Py applies error-correction and finds and 
broadcasts the (smallest) index j such that must be corrected. The set of 
players to be eliminated is T> = {Pj, Py}. The same verification is performed 
for the shares , . . . , for k = 1 ,. ..,£,£+ v. 

7. Py verifies for every i = 1,. . . ,n' whether the value ef computed in Step 4 
is correct, i.e., whether 




E ~ik)r(k) 
Tka\ 'b] 



~i^+v)M+v) 



fc=l 

This test will fail for at least one i, and Py broadcasts this index i. The players 
in T> = {Pi,Py} are eliminated. 



Analysis 

The above fault-detection protocol always passes when all players are honest. 
If the degree of at least one of the involved sharings is higher than 2t', then 
every honest verifier will detect this fault with probability at least 1 — 1/|F|. The 
correctness of the fault-localization protocol follows by inspection. 

The fault-detection protocol requires n{n£ + n^) = n^£ + elements to be 
sent, and n bits to be broadcast. The fault-localization protocol requires 2n{£+l) 
field elements to be sent and logn bits to be broadcast. 



4.5 Error Probabilities and Repetitive Verifications 

We first calculate the probability that a static adversary can introduce a bad 
triple into a block, without being detected. So assume that in a block, at least 
one triple is bad. This is detected by every honest player with probability 1 — 
1/|F|. Hence, the probability that no honest player detects (and reports) the 
inconsistency is at most |F|“^” \ Once the bad block is detected, one corrupted 

player is eliminated. Hence the adversary can try t times to make pass a bad 
block, and the probability that (at least) one of these trials is not detected (and 
the protocol is disrupted) is at most X)i=o < (1/|F|)”“^*. 

If the adversary is adaptive, he can decide whether or not to corrupt the veri- 
fier after the challenge vector is known. Hence, a bad block passes the verification 
step if at least n' — t' of the challenge vectors cannot discover the fault, and this 
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happens with probability at most EiLo("/)(l- V|1F|)'(V|]F|)”'"* < (3/|F|)"'-*'. 
Again, the adversary can try t times to make pass a bad block, which results in 
an overall error probability of E!=o(3/|]F|)”"*"* < (3/|F|)"-2*. 

If the above error probabilities are too high, they can further be decreased 
by simply repeating the fault-detection protocols (with new and independent 
blinding triples). By repeating the protocol k times, the error probability is 
lowered to (static case), respectively (S/IFI)''^""^*) (adaptive case). 

5 Computation Phase 

The evaluation of the circuit is along the lines of the protocol of piea,91 aj . Slight 
modifications are needed because the degree t of the sharings and the upper 
bound t' on the number of cheaters need not be equal. Furthermore, special 
focus is given to the fact that in our protocol, also eliminated players must be 
able to give input to and receive output from the computation. 

From the preparation phase, we have m random triples with 

cM = where the sharings are of degree t among the set V' of players. 

The number of corrupted players in V' is at most t' with 2t' < n' — t, where 
n' = |P'|. This is sufficient for efficient computation of the circuit. 

5.1 Input Sharing 

First, every player who has input secret-shares it (with degree t) among the set 
P' of players. We use the verifiable secret-sharing protocol of [BGW88j (with 
perfect security), with a slight modification to support t ^ t' . The dealer is 
denoted by P, and the secret to be shared by s. We do not assume that P GP' 
(neither P gP). 

1. The dealer P selects at random a polynomial f{x,y) of degree t in both 
variables, with p(0,0) = s, and sends the polynomials fi{x) = f{ai,x) and 
gi{x) = p{x, ai) to player for j = 1, . . . , n' . 

2. Every player Pi G P' sends to P_,- for j = * -|- 1, . . . , n' the values fi{aj) and 

3. Every player Pj broadcasts one bit according to whether all received values 
are consistent with the polynomials fj{x) and gj{x) (confirmation) or not 
(complaint). 

4. If no player has broadcast a complaint, then the secret-sharing is finished, and 
the share of player Pj is fj{0). Otherwise, every player Pj who has complaint 
broadcasts a bit vector of length n', where a 1-bit in position i means that 
one of the values received from Pi was not consistent with fj{x) or gj{x). 
The dealer P must answer all complaints by broadcasting the correct values 
f{ai,aj) and f{aj,ai). 

5. Every player Pi checks whether the values broadcast by the dealer in Step 4 
are consistent with his polynomials fi{x) and gi{x), and broadcasts either 
a confirmation or an accusation. The dealer P answers every accusation by 
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broadcasting both polynomials fi{x) and gi{x) of the accusing player Pi, and 
Pi replaces his polynomials by the broadcast ones. 

6. Every player Pi checks whether the polynomials broadcast by the dealer in 
Step 5 are consistent with his polynomials fi{x) and gi{x), and broadcasts 
either a confirmation or an accusation. 

7. If in Steps 5 and 6, there are in total at most t' accusations, then every player 
Pi takes /i(0) as his share of s. Otherwise, clearly the dealer is faulty, and 
the players take a default sharing (e.g., the constant sharing of 0). 

It is clear that an honest player never accuses an honest dealer. On the 
other hand, if there are at most t' accusations, then the polynomials of at least 
n' — 2t’>t honest players are consistent, and these polynomials uniquely define 
the polynomial f{x, y) with degree t. Hence, the polynomials of all honest players 
are consistent, and their shares /i(0), . . . , fn'{Q) lie on a polynomial of degree t. 

This protocol communicates 3n^ field elements, and it broadcasts n bits (in 
the best case), respectively -I- 3n -I- log |F| bits (in the worst case). 

5.2 Evaluation of the Circuit 

The circuit is evaluated gate by gate. Linear gates can be evaluated without any 
communication due to the linearity of the used sharing. Multiplication gates are 
evaluated according to Ihieatlial : Assume that the factors x and y are t-shared 
among the players. Furthermore, a t-shared triple (a, b, c) with c = ab is used. 
The product xy can be written as follows: 

xy = {{x — a) -I- a) ((y — b) + b) = ((a: — a){y — 6)) -|- (a; — a)b + {y — b)a + c. 

The players in V' reconstruct the differences dx = x — a and dy = y — b. This 
reconstruction is possible because 2t' < n' — t (e.g., see p3W86j l. Note that 
reconstructing these values does not give any information about x or y, because 
a and b are random. Then, the following equation holds: 

xy = dxdy + dxb + dyU + c. 

This equation is linear in a, b, and c, and we can compute linear combinations on 
shared values without communication. This means that the players can compute 
the above linear combination on their respective shares of x and y and they 
receive a t-sharing of the product xy. More details can be found in |Hea91a| . 

This multiplication protocol requires two secret-reconstructions per multipli- 
cation gate. Secret-reconstruction requires every player in V to send his share 
to every other player (who then applies error-correction to the received shares 
and interpolates the secret). The communication costs per multiplication gate 
are hence 2n^. Broadcast is not needed. 

5.3 Output Reconstruction 

Any player P can receive output (not only players in P' or in P) . In order to 
reconstruct a shared value x towards player P, every player in P' sends his share 
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of X to P, who then applies error-correction and interpolation to compute the 
output X. In the error-correction procedure, up to {n' — t — 1) /2>t' errors can 
be corrected (e.g., see |ljW8ti| l. 

Reconstructing one value requires n field elements of communication, and no 
broadcast. 

5.4 Probabilistic Functions 

The presented protocol is for deterministic functions only. In order to capture 
probabilistic functions, one can generate one (or several) blocks with single values 
only (with simplified verification), and use these values as shared random- 
ness. 

Alternatively, but somewhat wastefully, one just picks the value from a 
shared triple (a^®\ c^®^), and discards the rest of the triple. Then, m denotes 

the number of multiplication gates plus the number of “randomness gates” . 



5.5 On-Going Computations 

In an on-going computation, inputs and outputs can be given and received at 
any time during the computation, not only at the beginning and at the end. 
Furthermore, it might even not be specified beforehand which function will be 
computed. An example of an on-going computation is the simulation of a fair 
stock market. 

In contrast to the protocol of [IHMPnnj . the proposed protocol can easily be 
extended to capture the scenario of on-going computations. First, the players 
generate i triples (a, b, c) with c = ab, and perform the computation until all 
triples are exhausted. Then, a new block of i triples is generated, and so on. 

6 Complexity Analysis 

A detailed complexity analysis is given in Appendix^ Here we summarize the 
most important results: Let n denote the number of players, F the field over 
which the function (circuit) is defined, m the number of multiplication gates 
in the circuit, Cd the depth of the circuit, rij the number of inputs and Uq 
the number of outputs of the function. Evaluating this circuit securely with re- 
spect to an active adversary corrupting any t < n/3 of the players is possible 
with communicating 14mn^ -|- 0{n,n^ + UqU + n'^) field elements. The number 
of communication rounds is Cd + 0{n?). All complexities include the costs for 
simulating broadcast. If the field F is too small (and the resulting error proba- 
bility is too high), then fault-detection protocols are repeated, and the overall 
communication complexity increases accordingly. 

This complexity should be compared with the complexity of the most efficient 
protocols. In the secure-channels model, the most efficient protocol for uncondi- 
tionally secure multi-party protocols [H M POflj requires 0(mn^) field elements in 
0{Cd + n'^) rounds (where both hidden constants are slightly higher than ours). 
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For completeness, we also compare the complexity of our protocol with the 
complexity of the most efficient protocol for the cryptographic model mm- 
This protocol requires a communication complexity of 0{mn^) field elements in 
0{Cdn) rounds. The high round complexity results from the fact that the pro- 
tocol invokes a broadcast sub-protocol for each multiplication gate. The most 
efficient broadcast protocols require 0{n) rounds. Constant-round broadcast pro- 
tocols are known |FM88| . but they have higher communication complexities and 
would results in a communication complexity of 0{mn^) field elements. 

Finally, we compare the protocol with the most efficient known protocol 
for passive security, namely [IHCW88] with the simplification of PEEnSI- This 
protocol communicates mn^ -I- 0{rijn -|- non) field elements. Hence, for large 
enough circuits, robustness can be achieved with a communication overhead 
factor of about 14. 



7 Conclusions and Open Problems 



We have presented a protocol for secure multi-party computation uncondition- 
ally secure against an active adversary which is (up to a small constant factor) as 
efficient as protocols with passive security. The protocol provides some (arbitrar- 
ily small) probability of error. Note that due to the player-elimination technique, 
this error-probability does not grow with the length of the protocol (like in all 
previous MFC protocols with error probability), but only in the upper bound t 
of the number of corrupted players. 

It remains open whether quadratic complexity can also be achieved in other 
models. In the unconditional model with perfect security, the most efficient pro- 
tocol requires communication of 0{n^) field elements per multiplication gate 
[IHMPOOj . In the unconditional model with broadcast (with small error proba- 
bility), the most efficient protocol requires 0{n'^) field elements to be broadcast 
per multiplication gate | f(;UU^9HIFeh()()| . In the cryptographic model (where up 
to t < n/2 of the players may be corrupted), the most efficient protocol requires 
communication of 0{n^) field elements (and 0{n) rounds!) per multiplication 
gate k;i)N01l . A very recent result for Boolean circuits achieves essentially the 
same communication complexity per multiplication, but in a constant number 
of rounds for the whole circuit |l )IN1) I] . 

Also, it would be interesting to combine the techniques of this paper with the 
techniques of papers with protocols that require a constant number of rounds 
only (but have a high communication complexity) , to achieve a multi-party pro- 
tocol which has both low communication complexity and very low round com- 
plexity. 

Furthermore, the presented protocol is for the synchronous model. Some real- 
world networks appear to be more appropriately modeled by the asynchronous 
model, and the protocol must be adapted for this setting. It seems that this can 
be done along the lines 
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Finally, it would be interesting to have a proof that quadratic complexity is 
optimal for passive security. This would immediately imply that the protocol of 
this paper is optimally efficient (up to a constant factor). 

Acknowledgments. We would like to thank Serge Fehr and Matthias Fitzi 
for many fruitful discussions, and the anonymous referees for their helpful com- 
ments. 
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A Detailed Complexity Analysis 

We summarize the complexities of all involved sub-protocols. For each sub- 
protocol, we indicate both the message complexity (MC, in communicated field 
elements) and the broadcast complexity (BC, in bits) of the protocol involved 
once, and specify how often the protocol is called at least (when no adversary is 
present) and at most (when the corrupted players misbehave in the most effec- 
tive way). The complexity of the verifiable secret-sharing protocol of [H(IW88j . 
which is used for giving input, depends on whether or not some of the players 
misbehave. We list both complexities. 
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In the table, n denotes the number of players, t the upper bound on the 
number of actively corrupted players, m the total number of multiplication gates, 
i the number of multiplication gates per block, rij the number of inputs to the 
function, and no the number of outputs of the function. 

The indicated complexities are upper bounds: In particular, when a player 
has to send a message to all players, we count this as n messages (instead of 
n — 1). 



What 


MC 

(field elements) 


BC 

(bits) 


#Calls 

(min. . . max) 


Generate triples 


6n^ 


— 


n{£+2n) . . . 
{n+t){l+2n) 


Fault detection I 


£n^ + 7n® 


n 


n . . . n+t 


Fault localization I 


21 + •in + 2 


2 logn -1- 4 log |F| 
-l-log(^-l-n-l-l) -t log 6 


0 . 


..t 


Fault detection II 


£n^ + n® 


n 


n . . . n+t 


Fault localization II 


2£n + 2n 


logn 


0 . 


..t 


Give input (best) 


in^ 


n 


n. 


Give input (worst) 


in^ 


n^ -|- 3n -t 2t^ log |F| 


ni 


Multiply 


2n^ 


— 


m 


Get output 


n 


— 


no 



( 1 ) 

(2) 

( 3 ) 

( 4 ) 

( 5 ) 

(6) 

( 7 ) 

(8) 
( 9 ) 



We add up the above complexities for £ < m/n + 1, n > 4, and t < n/3. 
In order to simplify the expressions, some of the terms are slightly rounded up. 
Furthermore, for the sake of simplicity, we assume that the field F is large such 
that the resulting failure probability of the fault-detection protocols is small 
enough and there is no need to repeat the protocol. 

In the best case (when no cheating occurs), lOmn^ -I- 22n^ + + UqU 

field elements are communicated and 2n^ + UjU bits are broadcast. Applying 
the broadcast protocol of |FCPRfl] (which communicates 9n^ bits for broad- 
casting one bit), this results in a total complexity of less than lOmn^ log |F| -|- 
22n‘*(log |F| -I- 1) -I- njn^(31og |F| -|- 9n) -I- rzoulog |F| bits. 

In the worst case, the protocol communicates 13mn^-|-30n‘^-|-3nj^n^-|-non field 
elements and broadcasts 3n^ -I- 2n log |F| -|- | log m -I- log |F| bits. Simulating 
broadcast with EDEEHI, this gives less than 14mn^ log |F| -|- 35n'^(log |F| -|- 1) -|- 
9nj7i^ log |F| -I- non log |F| bits. This is about 14mn^ -|- 0{njn'^ + UqU + n^) field 
elements. 
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Abstract. Consider a network of processors among which elements in 
a finite field K can be verifiably shared in a constant number of rounds. 
Assume furthermore constant-round protocols are available for generat- 
ing random shared values, for secure multiplication and for addition of 
shared values. These requirements can be met by known techniques in 
all standard models of communication. 

In this model we construct protocols allowing the network to securely 
solve standard computational problems in linear algebra. In particular, 
we show how the network can securely, efficiently and in constant-round 
compute determinant, characteristic polynomial, rank, and the solution 
space of linear systems of equations. Constant round solutions follow for 
all problems which can be solved by direct application of such linear 
algebraic methods, such as deciding whether a graph contains a perfect 
match. 

If the basic protocols (for shared random values, addition and multiplica- 
tion) we start from are unconditionally secure, then so are our protocols. 
Our results offer solutions that are significantly more efficient than pre- 
vious techniques for secure linear algebra, they work for arbitrary fields 
and therefore extend the class of functions previously known to be com- 
putable in constant round and with unconditional security. In particular, 
we obtain an unconditionally secure protocol for computing a function / 
in constant round, where the protocol has complexity polynomial in the 
span program size of / over an arbitrary finite field. 



1 Introduction 

In this paper we consider the problem of secure multiparty computation (MFC), 
where n players, each holding a secret input, want to compute an agreed function 
of the inputs, in such a way that the correct result is computed, and no additional 
information about the inputs is released. This should hold, even in presence of 
an adversary who can corrupt some of the players, this means he can see all their 
internal data and can (if he is active) even make them behave as he likes. 

A main distinction between different kinds of MFC protocols concerns the 
model for communication: In the cryptographic model (first studied in OH), 
the adversary may see all messages sent, and security can then only be guaran- 
teed under a computational assumption. In the information-theoretic model (first 
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studied in 00 ), one assumes a private channel between every pair of players, 
and security can then be guaranteed unconditionally. 

Two measures of complexity are important for MFC protocols, namely the 
communication complexity (total number of bits sent) and the round complexity 
(where a round is a phase where each player is allowed to send one message to 
each other player). 

In this paper, we focus on the round complexity of MFC protocols, in par- 
ticular on building constant-round protocols. Kilian m showed that Boolean 
formulas can be securely and efficiently evaluated in constant rounds in the 
two-party case, with secure computations based on Oblivious Transfer. Under 
a complexity assumption, it was shown in |2| by Beaver, Micali and Rogaway 
that any function that can be computed in polynomial time can also be securely 
computed in a constant number of rounds (and polynomial communication). 
The result works under minimal complexity assumptions, but leads in practice 
to very inefficient protocols. Thus, for computationally secure MFC in constant 
round, the question is not which functions can be securely computed, but rather 
how efficiently it can be done. 

The situation is different for unconditionally secure MFC: in this model, 
it is not known which functions can be securely computed in constant-round. 
However, Bar-Ilan and Beaver showed that it can be done for any arithmetic 
formula. 

Later results by Feige, Kilian and Naor (El and Ishai and Kushilevitz m 
ITT] and Beaver P| extend this to functions in NL and some related counting 
classes. More precisely, their protocols are polynomial in the modular branching 
program size of the function computed. Their methods also apply to the more 
general arithmetic branching program model of Beimel and Gal0. 

2 Our Work 

In this paper, we start from the assumption that we are given an efficient, con- 
stant round method to share securely between the players values in a finite field 
K and to reveal them. For an active adversary, this would be a verifiable secret 
sharing (VSS). In the following, we write [a] for a sharing of a, i.e. [a] denotes 
the collection of all information related to a held by the players. When M is 
a matrix over K, [M] will denote a sharing of each of the coordinates of M. 
Whenever we say “let [x] be a sharing” we mean that either some processor has 
distributed shares of his private input x, or that [x] is the result of previous 
secure computations on certain private inputs of the processors. An expression 
such as “[/(a:)] is securely computed from [a:]” means that the processors in the 
network perform secure computations on a sharing of x, as a result of which they 
obtain a (random) sharing of f{x). 

We show how to design efficient constant-round protocols for a number of 
standard linear algebra problems: 

— Given a shared matrix [A] over an arbitrary finite field K, we show how to 
compute securely a sharing [det(A)] of the determinant of A. More generally, 
[f] is computed where f denotes the vector containing the coefficients of the 
characteristic polynomial of A. 
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— Given a shared (not necessarily square) matrix [A] over a finite field K, we 
show how to securely compute the rank of A, concretely we can compute [r] 
where r is a unary encoding of the rank of A, padded with zeroes. 

— Given also a shared vector [y] we show how to securely compute [6] where b 
is a bit that indicates whether the system of equations Ax = y is solvable. 
Finally, we show how to solve the system by securely computing [x], [B], 
where x is a solution and [B] generates A’s kernel. 

Our protocols work for arbitrary fields and do not use any cryptographic 
assumptions, so if the basic sharing method we start from is unconditionally 
secure, then so are the protocols we construct. 

It is easy to see that our results allow handling all functions computable in 
constant round and with unconditional security using the most general previous 
methods mni: for instance, our protocol for subspace membership immedi- 
ately implies a constant-round protocol for computing a function /, of com- 
plexity polynomial in the span nrogra.m j1 8| size of /. By the results from ^ 
span programs are always at least as powerful as the modular and arithmetic 
branching programs to which the methods from [I bll Y) apply. For fields with 
fixed characteristic, all three models are equivalent in power. However, since this 
is not known to hold for arbitrary fields, our results extend the class of function 
known to be computable in constant round and with unconditional security. 

What is equally important, however, is that the standard linear algebra prob- 
lems we can handle are problems that occur naturally in practice. For instance, 
deciding if a determinant is non-zero allows to decide if a bipartite graph con- 
tains a perfect match. Moreover, privacy is a natural requirement in matching 
type problems that occur in practice. 

We therefore believe it is of interest to be able to do linear algebra securely 
and efficiently. Our work leads to a protocols with better efficiency compared to 
solutions based on combinations of known techniques. Please refer to Section ESI 
for more details in the case of determinant and characteristic polynomial. 

We note that our results apply to the cryptographic model as well as the infor- 
mation theoretic, the only difference being the implementation of the underlying 
sharing and multiplication protocols. And because we attack the problems di- 
rectly rather than going through reductions (to, e.g.. Boolean circuits for the 
problems) we get much more efficient solutions than what one gets from, e.g, |2|. 

3 Some Basic Protocols 

For convenience in describing our main protocols, we assume that secure constant 
round protocols are available for the following tasks: 

— Gomputing (from scratch) a sharing [r] where r G K is random and unknown 
to the adversary. 

— Gomputing from sharings [a] , [&] a sharing of [a -I- &] . 

— Gomputing from sharings [a] , [b] a sharing of [ab] . 

Also, these protocols must remain secure when composed in parallel. 
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The first two requirements are always met if the sharing method used is 
linear over iC, in the sense that from [a], [&] and a known constant c, we can 
non-interactively compute new sharings [a + b] and [ac], and more generally, 
arbitrary linear functionals. For standard examples of VSS, this just translates 
to locally adding shares of a to corresponding shares of b, and to multiplying the 
shares of a by c. 

In fact, all three requirements can be met by known techniques in all stan- 
dard models of communication. We give here a few examples of existing efficient, 
constant round, linear MFC protocols: The classical unconditionally secure MFC 
protocols of Ben-Or, Goldwasser and Wigderson 0 and Chaum, Crepeau and 
Damgaard [Zj are examples in the secure channels model satisfying all our re- 
quirements, tolerating an active, adaptive threshold adversary that corrupts less 
than a third of the processors. 

MFC protocols secure against general adversaries HS| are given by Cramer, 
Damgaard and Maurer jOj. Their protocols make no restriction on the field size, 
as opposed to 130 where this must be larger than the size of the network. Q For 
the broadcast model of Rabin and Ben-Or m, one can take the protocols of 
PI, tolerating an actively (and adaptively) corrupted minority at the expense 
of negfeible errors and the assumption that a secure broadcast primitive is 
given. □ An example in the cryptographic model is given by the protocols of 
Cennaro, Rabin and Rabin m- Here the size of the field is necessarily large. 
For the binary field an example given in [S|. This protocol, which is based on 
homomorphic threshold encryption, is quite efficient and tolerates an actively 
corrupted minority. 

Note that parallel composition is not secure in general for all the models of 
communication mentioned here, unless extra properties are required. Neverthe- 
less, the example protocols considered above are in fact secure under parallel 
composition. 

A final basic protocol (called Ui in the following) that we will need is: 

— Compute from a sharing [a] a sharing [/i(a)] where h is the function on K 

defined by h{a) = 0 if a = 0 and h{a) = 1 if a yf 0. 

Later we show a constant-round realization of this protocol based only on the 
three requirements above. This realization is efficient if the characteristic of the 
field is polynomially bounded. 

For arbitrary fields, we can do the following instead: assume first that K = 
GF{q) for a (large) prime q. Represent an element a £ K in the natural way as 
a bit string uq, ..., a^. Choose a new field F = GF{p) where p is a small prime, 
all that is required is that p is larger than the number of players, in particular, 
p does not depend on the size of the input to the desired computation. Define 
[a] = [ao]_F, ..., [afe]F, i-e., using any of the standard methods described above we 
share each bit in the representation of a over the field F. 

We can now use the well-known fact that for a given, fixed q, there exist NG^ 
Boolean circuits for elementary operations in GF{q) (and even for unbounded 

^ In the full version of 0 it is pointed out that their VSS is actually constant round. 

^ One extra level of sub-sharing must be built in (which is no problem) to ensure 
constant rounds for their multiplication protocol. 
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fan-in addition) . This, together with the result from P and the fact that Boolean 
operations can be simulated in a natural way by arithmetic in F immediately 
implies existence of constant round protocols for this sharing method meeting 
the three requirements above. Moreover, computing the function h is now trivial 
since we only have to compute the OR of all bits of the input value. 

Finally, we show in Section 0 how the basic protocols for a field K can be 
lifted to any extension field of K. 

Since most of the known MFC protocols are linear, we explain our protocols 
under this assumption, since it leads to more efficient and easier to explain 
protocols. At the end of Section 0 we argue that our results also hold in the 
more general model described earlier. 



4 Known Techniques Used 

Let a secure linear MFC protocol for elementary arithmetic (i.e., multiplication 
and addition) over a finite field K be given, that is efficient and constant round. 
Write q = \K\. We frequently use the following constant-round techniques from 
Bar-Ilan and Beaver 0. 

Joint Secret Randomness is a protocol to generate a sharing [p] where p G K 
is random and secret. This is just by letting all players in the network share a 
random element, and taking the sum as the result. This extends in a natural way 
to random vectors and matrices. Secure Matrix Multiplication is a protocol that 
starts from sharings [A], \B] of matrices A and B, and generates a sharing [AB] 
of their product. This protocol works in the obvious way. We denote this secure 
computation by [AB] = [A] ■ [B] . By our assumptions on the basic MFC, it follows 
that if any of these matrices, say A, is publicly known, secure multiplication can 
be performed non-interactively. and we write [AB] = A ■ [B] instead. 

Jointly Random Secret Invertible Elements and Matrices is a protocol that 
generates a sharing of a secret, random nonzero field element or an invertible 
matrix. The protocol securely generates two random elements (matrices), se- 
curely multiplies them, and reveals the result. If this is non-zero (invertible), 
one of the secret elements (matrices) is taken as the desired output of the proto- 
col. The probability that a random matrix A G iF"’" is invertible is than 1/40 
and is at least 1 — n/q. In particular if n is negligible compared to q, almost all 
A G are invertible. This is easy to verify (see also the counting arguments 
in Section lti.l|). 

Secure Inversion of Field Elements and Matrices is a protocol that starts from 
a sharing of an invertible field element or matrix, and results in a sharing of its 
inverse. We denote this secure computation by [x~^] = and = [A]~^ 

respectively. This protocol first generates [p] with p G K random and non-zero, 
securely computes [cr] = [p] ■ [x], and finally reveals a. The result [x~^] is then 
non-interactively computed as a~^ ■ [p]. The same approach applies to the case 
of an invertible matrix. 

^ For instance, by simple counting and induction it follows that this probability is at 
least 1/4-1- (1/2)"^^. Also, there are better estimates known from the literature. 
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Securely Solving Regular Systems is a protocol that starts from sharings of 
an invertible matrix and a vector, and generates a sharing of the unique pre- 
image of that vector under the given invertible matrix. This protocol follows 
immediately from the above protocols. 

Secure Unbounded Fan-In Multiplication is a protocol that produces a sharing 
of the product of an unbounded number n of shared field elements [xi\. First 
consider the case where all elements [xi], . . . , [xm] are invertible. The network 
generates sharings [pi ], . . . , [pm\ of independently random non-zero values, and 
subsequently sharings of their multiplicative inverses. Next, they compute [cti] = 
[xi] ■ [pi], and, for i = 2... TO, [ct^] = [p“_\] • [xi] ■ [pi]. Finally, they publicly 
reconstruct Ui for i = 1 . . .to, compute the product of the (Ti’s, and multiply 
the result into the sharing of to get a sharing of the product of the Xi's. 
See PI for a more efficient solution. Using a result by Ben-Or and Cleve, the 
general case (i.e., Xi's may be equal to 0) is reduced to the previous case. The 
resulting protocol comes down to unbounded secure multiplication of certain 
invertible 3 x 3-matrices. The overhead is essentially a multiplicative factor n. 
See Section l(i.4l for an alternative approach. 

Note also that the MFC protocol over K is easily “lifted” to an extension 
field L of iF, as we show below. If the original is efficient and constant round, 
then so is the lifted protocol. 

L may be viewed as a iF-vectorspace, and let bo, , b^-i be a fixed iF-basis 
for L, where d is the degree of L over K. More precisely, let a be a root of an 
irreducible polynomial f{X) € K[X] of degree d. We set 6^ = a* for j = 0 . . . d— 1. 
Elements of L are represented by coordinate vectors with respect to this chosen 
basis. In particular, the vectors that are everywhere zero except possibly in the 
first coordinate correspond to the elements of K. 

If [xo]k, ■ ■ ■ ,[xd-i]K are sharings, with the XiS in K, it is interpreted as 

[x] l, where x = Y.iZo ■ b^ € L. Let [x]l = {[xo]k, ■ ■ ■ [?/]l = 

(bo]if , • ■ • , [yd-i\K) be sharings oix,y & L. Securely computing [x-Iy\L = [x]l + 

[y] L amounts to computing the sum of the vectors, which is be done by local oper- 
ations. So we have the correspondence [x-\-y]L O ([a^o+2/o]ic> • ■ • ? [xd-i+yd-i]K) ■ 

Now consider multiplication. For i = 0, ..., d — 1 let Bi he the matrix whose 
j-th. column is the vector representation of the element Ci ■ Cj G L, and let 
B = Boll • ■ ■ ll^d-i (concatenation from left to right). Let x 0 y G be 

the (column-) vector whose j-th “block” is Xj ■ yo,. . . ,xj ■ yd-i- Then: x ■ y = 

■ Vj • ® y) = (Ao, ■ • • , Xd-iV G 

and so we have the correspondence: [x ■ y]L ^ [^(x 0 y)]ic • 

Over K, it is straightforward for the network to first securely compute [x ® 
y] = [x]® [y] efficiently in constant rounds. Since B is public, secure computation 
of [B(x ® y)]k is then by local operations only. Hence, secure multiplication in 
the extension field can be carried out efficiently in constant rounds. Note that 
securely multiplying in a known constant is a special case, which is handled 
completely by local operations. 

Finally, we note that if the linearity assumption on the MFC protocol is 
dropped, and instead we work with the model also described in Section 0, where 
more generally secure constant round protocols for generation of shared random 
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element, addition and multiplication are assumed, the above sub-protocols still 
work. It is sufficient to argue that unbounded addition can be securely and 
efficiently performed in constant rounds. 

Although this does not directly follow from the model, as is the case with 
linearity, it can be done in similar style as unbounded multiplication of non-zero 
field elements using the ideas of Bar-Ilan and Beaver. This is actually where the 
assumption on secure generation of a shared random value comes into play. It is 
easy to verify that all protocols to follow also work in this more general model. 



5 Overview and Conventions 

Throughout we assume efficient, constant round, secure linear MFC protocols 
over a finite field K. In the analysis we assume that the required properties are 
perfectly satisfied. 

The linear algebraic problems of our interest are determinant, characteristic 
polynomial, rank, sub-space membership, random sampling and general linear 
systems. We first explain secure solutions with negligible error probabilities. 

We will assume that K (“the field of interest”) is “large enough”, i.e., n 
(“dimension” of the linear algebraic problems) is negligible compared to g = \K\. 
Without loss of generality we may use the lifting technique to achieve this. 

In all cases, solutions of the original problems defined over K can be recovered 
from the solutions of the lifted problem. 

In Section 0we argue how to obtain zero-error modifications of our protocols. 



6 Secure MPC of Determinant 

Let [A] be a sharing, where A G iL"’". The goal of the network is to securely 
compute a sharing [det(A)], where det(A) is the determinant of A, efficiently in 
constant rounds. 

Secure computation via the standard definition of determinant is inefficient, 
and a secure version of Gaussian elimination for instance, seems inherently se- 
quential. After we give our efficient and constant round solution, we discuss some 
less efficient alternatives based on combinations of known techniques. 



6.1 The Case of Invertible Matrices 

We start by solving the problem under the assumption that the shared matrix A 
is promised to be invertible and that there exists an efficient constant round pro- 
tocol Uq allowing the network to securely generate a pair ([i?], [det(i?)]) where 
R G iL"’" is an (almost) random invertible matrix and det(i?) is its determi- 
nant. Note that we do not require that the network can securely compute the 
determinant of a random invertible matrix; we merely require that TTq securely 
constructs a sharing of a random invertible matrix together with its determinant. 

In the following, let GL„(iL) C If"’" denote the group of invertible matrices. 
Let [A] be a sharing, with A G GL„(iL). 
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1. Under the assumption that protocol Uq is given, the network securely gen- 
erates ([i?], [d]), where R G GL„(iC) is random and d = det{R). 

2. By the method of Bar-Ilan and Beaver for secure inversion, the network 
securely computes 

3. The network securely computes [S'] = [i?j • [A], and reveals S. 

4. All compute e = det(S), and by local operations they securely compute 
[det(A)j = e • [d“^j. 

Note that (S, e) gives no information on A. Also note that the protocol is not 
private if A is not invertible, since e = 0 exactly when that is the case. A 
realization for Protocol IIq is shown below. 



Realization of Protocol TTq. We show an efficient, constant round protocol 
for securely generating pairs ([S], [d]), where R G GL„(AT) is random and d = 
det(i?). It achieves perfect correctness. The distribution of (R, d) has a negligible 
bias. 

Our solution is based on the idea of securely multiplying random matrices 
of a special form, and requires that n is negligible compared to q. The protocol 
goes as follows. 

1. The network securely generates the pair of shared vectors [x/,], [x;/], where 
XL) Xu G df" both consist of random non-zero entries, and securely computes 

M=,(n”=iM*)])-(nr=i[^GW]). 

This is done using the methods of Bar-Ilan and Beaver for secure unbounded 
fan-in multiplication of non-zero values. 

2. The network securely generates — n elements [r^j, where the G AT are 
random. 

Next, the network defines [L] such that L G A'”>” has xl on its diagonal, 
while the elements below the diagonal are formed by the first — n) of 
the [rij’s. The elements above the diagonal are set to 0. 

Similarly for the matrix [U], but with x^ on its diagonal, and the remaining 
[cij’s placed above the diagonal. The elements below the diagonal are set to 
0 . 

Finally, the network securely computes [i?j = [L] ■ [U], Note that det(i?) = 
d yf 0. The result of the protocol is set to ([i?j, [d]). 

Gorrectness is clear. We now discuss privacy. Define £, U as the sub-groups 
of GL„(A') consisting of the invertible lower- and upper-triangular matrices, i.e., 
the matrices with non-zero diagonal elements, and zeroes above (resp. below) the 
diagonal. For n > 1 these groups are non-abelian. Let T> denote the invertible 
diagonal matrices, i.e., the matrices with non-zero diagonal elements and zeroes 

elsewhere. We have CnU = V, |£| = \U\ = {q — 1)”, \T>\ = {q— 1)". 

Define the map h : CxU — ^ GL„(AT), (L, U) >->■ LU, and write TZ = h{CxU) 
for the range of h, i.e., TZ consists of all invertible matrices that can be written 
as the product of a lower- and an upper-triangular matrix. 

For each R G TZ, it holds that = \T>\. Using the fact that £, U and 

T> are groups and that CC\U = V, this claim is easily proved as follows. Let 
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R = LU, and let D€V. Then G £ and DU G U, and R = {LD~^){DU). 

This shows that R has at least \T>\ pre-images under h. On the other hand, if 
R = LqUo = LiUi, then L^^Lq = UiUq^. Since L^^Lq G C and U\Uq^ G U, 
both are equal to D for some D € T>, and so we can write Li = LqD~^ and 

C/i = DUo. 



As a consequence, \TZ\ = Thus we have = (1 ~ s)”: and hence. 









11^1 

|GL„(if)| 

These facts imply that if (L, U) is chosen uniformly at random from C 
then R = LU is distributed uniformly in 72., which is almost all of the invertible 
matrices when n is negligible compared to g. 0 

We note that it is possible to devise an alternative for protocol TTq, where each 
player in the network shares a random invertible matrix and a value he claims is 
the determinant. Invertibility is proved using Bar-Ilan and Beaver’s techniques. 
Using cut-and-choose techniques it can be established that this value is indeed 
the determinant. The desired output is obtained by taking products. However, 
this method introduces correctness errors, and is less efficient compared to the 
above solution. 



6.2 The General Case of Determinant 

If A G 72"’" is no longer guaranteed to be invertible the situation becomes 
slightly more involved. Although the protocol would still compute the determi- 
nant correctly, security is not provided if the matrix is singular: by inspection of 
the previous protocol, the publicly available value e is equal to 0 exactly when 
A is singular. Moreover, any blinding technique in which a product of A with 
randomizing matrices is revealed, provides a lower-bound on A’s rank. 0 

We now propose our solution for secure computation of determinant. Let [A\ 
be a sharing, where A G 72"'" is an arbitrary matrix. The purpose of the network 
is to securely compute a sharing [det(A)] efficiently in constant rounds. 

Let /a(W) = det(J2 • /„ — A) G K\X] denote the characteristic polynomial 
of A, where /„ denotes the n x n identity matrix. Then /a( 0) = (—1)" • det(A) 
and deg f = n. By Lagrange Interpolation, for distinct zq, ■ ■ ■ , Zn € K, there are 
Iq,. . . ,ln G 72, only depending on the Zi’s, such that det(A) = (—1)" • /a(0) = 
(-1)” • ELo = (-1)" • Er=o ■ det(zi/„ - A). 

Now, for z G 72, it holds that — A G GL„(72) if and only if fA(,z) ^ 0, 
i.e., z is not an eigenvalue of A. 

Since A has at most n eigenvalues, the matrix z/„ — A is invertible when z 
is randomly and independently chosen, except with probability at most 1/g. 

^ We note that all invertible matrices can be brought into ^^LUP” form, where L and U 
are invertible matrices in lower-, resp. upper-triangular form, and P is a permutation 
matrix. However, choosing each of these at random, LUP does not have the uniform 
distribution on GL„(72). Moreover, securely computing the sign of the permutation 
would pose a separate problem at this point. 

® The rank of the product of matrices is at most equal to the smallest rank among 
them. 
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This enables a reduction of the problem of securely computing [det(A)] to 
that of secure computation of the determinant of a number of invertible matrices, 
which now we know how to do, and proceed as before. 

1. In parallel, the network securely generates [zq], . . . , [zn], where the Zi are ran- 
domly distributed in K. They reveal the z^’s. Except with negligible proba- 
bility, the Zi’s are distinct (which can be checked of course) and all matrices 
Ziln — A are invertible. For i = 0, . . . , n, the network securely computes by 
local computations [ziln — ^] = Zil„ — [A] 

2. Using our protocol for securely computing the determinant of an invertible 
matrix, they securely compute in parallel [det^zgln — A )], . . . , [det(z„/„ — A)]. 

3. Finally, the network securely computes [det(^)] = (— l)”-X)r=o k-[det{ziln — 
A)], where the are the interpolation coefficients. 

Note that if some Zi happens to be an eigenvalue of A, this becomes publicly 
known, since the sub-protocol for securely computing the determinant of an 
invertible matrix noticeably fails in case it is not invertible. On the other hand, 
it also means that if Zi is not an eigenvalue of A, this also becomes known, and 
the adversary can rule out all matrices of which Zi is an eigenvalue. 

However, it is only with negligible probability that the adversary learns an 
eigenvalue. The actual probability depends on H, but this poses no privacy prob- 
lems since it is negligible anyway. 

Also, the adversary could predict with almost complete certainty in advance 
that Zi is not an eigenvalue. Hence we have almost perfect privacy, and perfect 
correctness. 



6.3 Secure MPC of Characteristic Polynomial 

Let M G j^n+i,n+i Vandermonde matrix whose i-th row is (1, Zi, . . . , zf ), 

and write y and f for the (column) vectors whose i-th coordinates are equal to 
t/i and to the coefficient of X* in fA{X), respectively. Then f = M~^y. 

The protocol above not only securely computes the determinant [det(A)], 
but in fact the coefficient vector f of the characteristic polynomial, if we replace 
the last step by [f] = M~^ ■ ([det(zo/n — A)], . . . , [det(z„/„ — A)])^. Note that 
we might as well omit computation of the leading coefficient of /a (A") since it is 
equal to 1 anyway. 



6.4 Alternative Protocol for Unbounded Multiplication 

As an aside, we note that a similar reduction via interpolation yields an al- 
ternative protocol for unbounded multiplication. Namely, consider [oi], . . . , [a„] 
with the Oi’s in K, and define f{X) = n"=i(^ ~ applying interpolation 

through random points on f{X), we get a similar reduction to the much simpler 
case of unbounded multiplication of non-zero field elements. Zero-error can be 
obtained by a method described in Section 0 
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6.5 Other Approaches 

We discuss some interesting but less efficient alternatives based on combinations 
of known results, in particular from Parallel Computing. 

First we consider a combination of techniques due to Mahajan and Vinay 
m, Ishai and Kushilevitz nw7i - and Beimel and Gal 0. 

For our purposes, an Arithmetic Program (AP) ^ is a weighted directed 
acyclic graph with two distinguished vertices s,t. Each edge is labelled by a 
variable that can take on a value in a finite field K. The function computed 
by an AP is defined by taking a path from s to t, multiplying the weights, 
and summing up over all such paths to finally obtain the function value. The 
computations take place in the finite field K. By elementary algebraic graph 
theory, the function value shows up as the (s, t)-entry in the matrix (/ — H)~^, 
where H is the adjacency matrix of the weighted graph. Ishai and Kushilevitz 
[11 fl1 7j nicely exploit this fact in their construction of representations of functions 
in terms of certain degree-3 randomized polynomials obtained from branching 
programs. 

The result of m in particular says that there is an AP with roughly 
vertices for computing determinant. The weights are entries from the matrix of 
interest, where the correspondence does not depend on the actual matrix. 

Therefore, determinant can in principle be securely computed using a single 
secure matrix inversion. Unfortunately, this matrix has dimension greater than 
n^. Bar-Ilan and Beaver’s inversion applied to the matrix I — H, essentially 
requires secure multiplication of two x matrices. Methods for securely 
computing a sharing of just the (s,f)-entry of (/ — H)~^ rather than the whole 
matrix (via a classical identity relating inverse with determinants) seem to re- 
quire secure computations of determinant in the first place. 

Another approach can be based on Leverier’s Lemma (see e.g. |2nj), which 
retrieves the coefficients of the characteristic polynomial by inverting a certain 
lower-triangular matrix, where each entry below the diagonal is the trace of a 
power of the matrix of interest. This lemma is obtained by combining Newton’s 
identities with the fact that these traces correspond to sums of powers of the 
characteristic roots. 

li K = p, with p a prime greater that the dimension n of the matrix, it is 
possible to devise a secure protocol for characteristic polynomial whose com- 
plexity is dominated by securely computing all f-th powers of the matrix, for 
i = 1 . . . n. These terms can be computed separately using techniques of Bar- 
Ilan and Beaver, or by using the observation that obtaining the n powers of an 
n X n-matrix is no harder than inverting an x n^-matrix (see e.g. |21)j for more 
details). 

Note that our solution for large fields essentially just requires secure multi- 
plication of two n X n-matrices (due to Bar-Ilan and Beaver’s matrix inversion) if 
the matrix is promised to be invertible, and n times that amount in the general 



case. 
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7 Secure MPC of Rank 

The purpose of the network is to securely compute the rank of a matrix A 
efficiently in constant rounds. An important feature of our solution is that the 
network in fact securely computes a sharing [r] , where r G iC” encodes the rank 
of A in unary. This means that, when viewed as a column vector, all non-zero 
entries of r are all equal to 1 and occur in the bottom r positions. Rank encoded 
this way facilitates an easy way to securely compare the ranks of given matrices, 
as we show in an application to the subspace membership problem later on. 

We note that Ishai and Kushilevitz imiT) have proposed an elegant and effi- 
cient protocol for secure computation of rank. Their protocol produces a random 
shared matrix with the same rank as the shared input matrix. This particular 
way of encoding rank, however, seems to limit applicability in a scenario of 
ongoing secure multi-party computations. 

In some special cases, such as when a square matrix A is in triangular form, 
its rank r(A) can be read off its characteristic polynomial /^(A), as n — t, where 
A* is largest such that it divides /a (A), and n is its degree. This is not always 
the case. 

Mulmuley proved the following result. Let S G if™.™ be symmetric. Let 
Y be an indeterminate, and define the diagonal matrix D = (da) G 
with da = Let fr>s{X) G A[A, A] denote the characteristic polynomial of 

DS G Then r(5') = m — t where t is maximal such that A* divides the 

characteristic polynomial /ds(A) G K[X,Y] of DS. In other words, /ds(A) = 
X^-ns) . f^(Y)X\ where fo{Y) ^ 0 and /r(s)(A) = (-1)™. 

If S is not symmetric, it can be replaced by the symmetric matrix S*, which 
has 5^ in its lower- left corner and S in its upper-right corner, while the rest is 
set to 0. Both dimension and rank of S* are twice that of S. 

We exploit this result as follows. Let [A] be a sharing with A G A"’". 0. 

The network first constructs a sharing [A*] of the symmetric matrix A* G 
j^ 2 n, 2 n^ which is done locally in a trivial manner. Next, they securely generate 
[yo] with yo random in K, and reveal it. Define Dq G gg matrix D 

from above, with the substitution Y = y^. 

If foivo) 0) then 2 • r(A) = 2n — t, with A* largest such that it divides 
the characteristic polynomial fooA-iX) G K\X] of the matrix DqA* . Since the 
degree of fo{Y) is at most n(2n — 1) (as follows from simple inspection), fo{yo) yf 
0, except with probability n(2n — 1) /q. 

The next step for the network is to securely compute fDoA*{X). To this end, 
they publicly compute Dq from j/o. and finally by local computations [DqA*\ = 
Dq\A*]. Using our Characteristic Polynomial Protocol they securely compute a 
sharing of the coefficient vector of the polynomial. 

Viewing this as a column vector whose i-th entry is the coefficient of A* in 
the polynomial, i = 0 . . . 2n — 1, and neglecting the coefficient of A^", it has its 
top t entries equal to zero, while the t + 1-st is non-zero. By discarding “every 

® Note that if A is not square, say A G then we can easily extend A to a square 

matrix whose rank is the same, by appending all-zero rows or columns. This leads 
to an s X s-matrix where s = max(n, m). 
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second” entry we obtain a vector f C AT" whose top n — r entries are zero, while 
its n — r + 1-st entry is non-zero, where r = r(A). 

Definition 1 Let r C AT" be a eolumn-vector, and let 0 < r < n he an integer. 
We say that r is an almost-unary eneoding of r if its bottom r entries are non- 
zero, while it has zeroes elsewhere. If the non-zero entries are all equal to 1, we 
say that v is a unary eneoding of r. 

li H £ is a random lower-triangular matrix, then TLf has its top n — r 
entries equal to 0, while its bottom r entries are randomly and independently 
distributed in K. Hence, except with probability at most rjq < n/q, iJf is a 
random almost-unary encoding of A’s rank r. The actual probability depends 
on the rank, but it is negligible anyway. 

The network now simply securely generates a sharing [H] of a random lower- 
triangular, reveals it, and non-interactively computes the almost-unary encoding 
of A’s rank as [Hi] = 

A unary encoding [r] of A’s rank r can be securely computed from [iLf] by 
applying the protocol Hi mentioned earlier. This protocol starts from a sharing 
[cc] with X G K, and securely computes [h{x)] in constant rounds, where h{x) = 1 
if X 0 and h{x) = 0 if x = 0. Q 

Applying protocol Hi in parallel to each of the entries of the almost-unary 
encoding Hi, we get the desired result. We show one realization of such a protocol 
below. A less efficient, but more general method was shown in Section El 



7.1 Protocol JTi Based on Secure Exponentiation 

We assume that the field K has “small” characteristic p, and that the MPC 
protocol over K run by the network can be viewed as a lifting from protocols 
over GF(p) to K. 

Let [x] with x G K he a sharing. Note that h{x) = x'^“^, where q = \K\. 

The first idea that comes to mind is to securely perform repeated squaring. 
This requires 0(logq) rounds of communication however. Applying the constant 
round protocol of Bar-Ilan and Beaver for unbounded fan-in secure multiplication 
to our problem is no option either, since in this case the communication overhead 
will be polynomial in q instead of log q. 

Another idea is to apply Bar-Ilan and Beaver’s protocol for secure inversion. 
Namely, the network would securely compute [i/], where y = x~^ if x yf 0 and 
2/ = 0 if X = 0, and finally compute [h(x)] = [x] • [y]. Unfortunately, the network 
would learn that x = 0 in the first step, as can be seen by inspection of the 
Bar-Ilan and Beaver method. Hence, the security requirements are contradicted. 
We note that the function h defined above is closely related to the Normalization 
Function defined in P^, which tells whether two elements are equal or not. They 
show how this function (and hence h as well) can be securely computed in 
constant rounds if the field K is small. 

We need an alternative approach which works for exponentially large fields. 
Our solution comes at the expense of assuming small characteristic. Write d for 

As an aside, note that h{x) is the rank of the 1 x 1-matrix x. 
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the degree of K over GF(p). So q = p‘^ = \K\. Let l<s<g— Ibea given, 
public integer, and let [a;] with x € K he a, sharing. This is how they can securely 
compute [a;]'*, efficiently in constant rounds. Setting s = q — 1, we get the desired 
protocol III. 

Taking p-th powers in iC is a field automorphism of K that leaves GF(p) 
fixed. In particular this means that this map can be viewed as an automorphism 
of iF as a GF(p)-vectorspace. Let B S GLd(GF(p)) denote the (public) matrix 
representing this map, with respect to the chosen basis. Then for i > 1, the 
matrix S GLd(GF(p)) represents taking p*-th powers. 

For i = 0 ... d — 1, write Zi = x^ . Let s = be the p-ary repre- 
sentation of s. Then we have x^ = x^i=o = nf=o^ ~ 0^=0 

(xq, . . . ,Xd-i) C GF(p)'^ is the vector representation of x, then the vector rep- 
resentation of Zi is B*(xq, . . . ,Xd-i)^ . Since B* is public and since the vector 
representation of x are available as sharings, the network can securely compute 
the vector representation of [zi] by local computations. Next, the network se- 
curely computes the s^-th powers of the Zi, running Bar-Ilan’s and Beaver’s 
unbounded fan-in secure multiplication protocols in parallel. Each of these steps 
costs O(p^) secure multiplications, so the total number is O(logg-p^). But since 
p is “small” (for instance, constant or polynomial in logg)) this is efficient. The 
protocol is finalized by securely multiplying the d = 0{logq) results together 
using the same technique. 

7.2 Application to Sub-space Membership Decisions 

Using our Rank Protocol, the network can securely compute a shared decision 
bit [6] from [A] and [y] , where 6 = 1 if the linear system Ax = y is solvable and 
6=0 otherwise. 

Defining Ay by concatenating y to A as the last column, we have 1 — 6 = 
r(Ay) — r(A), where r(-) denotes the rank of a matrix and 6 = 1 if the system is 
solvable, and 6=0 otherwise. 

Suitably padding both matrices with zeroes, we make them both square of 
the same dimension, while their respective ranks are unchanged. Running the 
Rank Protocol in parallel, the network now securely computes unary encodings 
[r], [ry] of the ranks of A and Ay, respectively. It holds that r(A) = r(Ay) exactly 
when r = Ty. 

Next, the network securely computes [u] = [r] — [cy] by local computations, 
securely generates [v] with v random in iF" , and finally securely computes [u] = 
[u] • [v^] . Except with negligible probability 1/g, it holds that u = 0 if 6 = 1 and 
u 0 if 6 = 0. The network securely computes [6] = 1 — [6(u)], using protocol 

Bi. 

8 General Linear Systems 

Let [A] and [y] be sharings, where A is a square matrix, 0 say A G iF"’", and 
y G iF”. The purpose of the network is to securely compute [6], [x] and [B], 

® As in the Rank Protocol, the assumption that A is a square matrix is not a limitation. 
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efficiently and in constant rounds, with the following properties. If the system 
is solvable, h = \ and x G if" and B G if">" are such that Ax = y and the 
columns of B generate the null-space Ker A (optionally, the non-zero columns 
form a basis). If the system is not solvable, 6=0, and [x], \B] are both all-zero. 

Our solution is based on a Random Sampling Protocol which we describe 
first. 



8.1 Secure Random Sampling 

Let y be given to the network, and assume for the moment that the linear system 
Ax = y has a solution. The purpose of the network is to securely compute [x], 
where x is a random solution of Ax = y, efficiently and in constant rounds. 
Note that in particular this implies a means for the network to securely sample 
random elements from Ker A by setting y = 0. 

Our approach is to reduce the problem to that of solving a regular system, 
since this can be handled by the methods of Bar-Ilan and Beaver. Using the 
Sub-Space Membership Protocol the network first securely computes the shared 
decision bit [6] on whether the system has a solution at all. Applying that same 
protocol in an appropriate way, they are able to select a linearly independent 
generating subset of the columns of A, and to replace the other columns by 
random ones. With high probability 6, this new matrix T is invertible: if r is 

the rank of A, then 9 = ^ ^ > ^1 — > 1 — which differs 

from 1 only negligibly. 

This means that, with high probability, the methods of Bar-Ilan and Beaver 
can be applied to the system Txi = y in the unknown xi . More precisely, they 
are applied to the system Txi = y — yo, where yo is a random linear combination 
over the columns of A that were replaced by columns of R in the construction of 
T. In other words, yo = Axq for xg chosen randomly such that its i-th coordinate 
equals 0 if Cj = 1. 

If T is indeed invertible and if Ax = y has a solution at all, then the coor- 
dinates of xi corresponding to the “random columns” in T must be equal to 0. 
Then x = xq -I- xi is a solution of Ax = y, since Ax = Axq -I- Axi = yo + Txi = 
yo + (y ~ yo) = y- it is also clearly random, since xi is unique given y and 
random xq. 

The result of the protocol is computed as ([6], [6] ■ [x]), where 6 is the decision 
bit computed at the beginning. 

Here are the details. Write ki, . . . ,k„ to denote the columns of A, and set 
ko = 0. Define the vector c G K" by Cj = 1 if k^ is not a linear combination of 
kp, . . . , ki_i, and Cj = 0 otherwise. Note that B = {k^ : q = 1} is a basis for the 
space generated by the columns of A. 

The shared vector [c] is securely computed by applying the Sub-Space Mem- 
bership Protocol in parallel to the pairs ([Aj_i], [k^]), where A^ is the matrix 
consisting of the columns kg, . . . ,ki_i, and “negating” the resulting shared de- 
cision bits. 

Write [C] for the shared diagonal matrix with c on its diagonal. We ’ll use 
this matrix as a selector as follows. After generating a random shared matrix 
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[i?], the network replaces the columns in A that do not belong to the basis B 
by corresponding columns from R, by securely computing [T] = [A] • [C] + [i?] • 
([/ — C]). As argued before, T is invertible with high probability. 

Next, they securely generate a random shared vector [xq] with zeroes at the 
coordinates i with C B, by generating [xg] randomly, and securely multiplying 
its i-th coordinate by [1 — c^], i = 1, . . . , n. The shared vector [yg] is now securely 
computed as [yo] = [A] • [xg]. 

Using Bar-Ilan and Beaver’s method for securely solving a regular system, 
the network computes [xi] = [T]“^ • ([y] — [yo]), and finally [x] = [xg] + [xi] and 
[6] • [xj. They take ([6], \b] ■ [x]) as the result. 



8.2 General Linear Systems Protocol 

Let [A], [y] be sharings, where A G and y G AT". If x is a solution of 

Ax = y, then the complete set of solutions is given by x + Ker(A). 

Using the Random Sampling Protocol it is now an easy task for the network 
to securely solve a system of linear equations efficiently in constant rounds. 

Assume for the moment that the system is solvable. The network first se- 
curely generates [ui], . . . , [u„], where the are independently random samples 
from Ker A. With high probability, these actually generate Ker A. The network 
defines \B] such that the i-th column of i? is u^. Next, they securely compute [x], 
where x is an arbitrary solution of the linear system. The result of the protocol 
is ([x],[R]). 

To deal with the general case, where the system may not be solvable, we 
first have the network securely compute [6] using the Sub-Space Membership 
Protocol, where b is the bit that indicates whether it is solvable. After [x], [B] 
has been securely computed, they securely compute ([6] • [x], [6] • [R]), and take 
([6],([6] • [x],[6] • [R])) as the result. 



9 Achieving Perfect Correctness and Privacy 



By inspection of our protocols, non-zero error probabilities arise when the net- 
work happens to select zeroes of “hidden” polynomials. Since upper-bounds on 
their degree are known, such errors can be avoided altogether by passing to an 
extension field and having the network select elements with sufficiently large 
algebraic degree instead. This, together with some other minor modifications, 
leads to protocols with perfect correctness in all cases. In El we study efficient 
alternatives with perfect privacy, thereby avoiding the need for large fields. 
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Two-Party Generation of DSA Signatures 

(Extended Abstract) 



Philip MacKenzie and Michael K. Reiter 
Bell Labs, Lucent Technologies, Murray Hill, NJ, USA 



Abstract. We describe a means of sharing the DSA signature function, 
so that two parties can efficiently generate a DSA signature with respect 
to a given public key but neither can alone. We focus on a certain 
instantiation that allows a proof of security for concurrent execution in 
the random oracle model, and that is very practical. We also briefly 
outline a variation that requires more rounds of communication, but 
that allows a proof of security for sequential execution without random 
oracles. 



1 Introduction 

In this paper we present an efficient and provably secure protocol by which al- 
ice and bob, each holding a share of a DSA m private key, can (and must) 
interact to generate a DSA signature on a given message with respect to the 
corresponding public key. As noted in previous work on multiparty DSA signa- 
ture generation (e.g., |!^bl7llb| L shared generation of DSA signatures tends to be 
more complicated than shared generation of many other types of ElGamal-based 
signatures m because (i) a shared secret must be inverted, and (ii) a multi- 
plication must be performed on two shared secrets. One can see this difference 
by comparing a Harn signature m with a DSA signature, say over parame- 
ters <g,p,q>, with public/secret key pair <y{= modp),x> and ephemeral 
public/secret key pair <r(= g^ mod p),k>. In a Harn signature, one computes 

s ■<— x(hash(m)) — kr mod q 

and returns a signature <r, s>, while for a DSA signature, one computes 
s •<— /c“^(hash(m) -|- xr) mod q, 

and returns a signature <r mod q, s>. Obviously, to compute the DSA signature 
the ephemeral secret key must be inverted, and the resulting secret value must 
be multiplied by the secret key. For security, all of these secret values must be 
shared, and thus inversion and multiplication on shared secrets must be per- 
formed. Protocols to perform these operations have tended to be much more 
complicated than protocols for adding shared secrets. 

J. Kilian (Ed.): CRYPTO 2001, LNCS 2139, pp. 137- Trai 2001. 

@ Springer- Verlag Berlin Heidelberg 2001 
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Of course, protocols for generic secure two-party computation (e.g., m) 
could be used to perform two-party DSA signature generation, but here we ex- 
plore a more efficient protocol to solve this particular problem. To our knowledge, 
the protocol we present here is the first practical and provably secure protocol 
for two-party DSA signature generation. As building blocks, it uses a public key 
encryption scheme with certain useful properties (for which several examples ex- 
ist) and efficient special-purpose zero-knowledge proofs. The assumptions under 
which these building blocks are secure are the assumptions required for security 
of our protocol. For example, by instantiating our protocol with particular con- 
structions, we can achieve a protocol that is provably secure under the decision 
composite residuosity assumption (DCRA) and the strong RSA assump- 
tion 3 when executed sequentially, or one that is provably secure in the random 
oracle model under the DCRA and strong RSA assumption, even when arbi- 
trarily many instances of the protocol are run concurrently. The former protocol 
requires eight messages, while the latter protocol requires only four messages. 

Our interest in two-party DSA signature generation stems from our broader 
research into techniques by which a device that performs private key operations 
(signatures or decryptions) in networked applications, and whose local private 
key is activated with a password or PIN, can be immunized against offline dic- 
tionary attacks in case the device is captured [ 22 |. Briefly, we achieve this by 
involving a remote server in the device’s private key computations, essentially 
sharing the cryptographic computation between the device and the server. Our 
original work |2Z! showed how to accomplish this for the case of RSA functions 
or certain discrete-log-based functions other than DSA, using known techniques 
for sharing those functions between two parties. The important case of DSA sig- 
natures is enabled by the techniques of this paper. Given our practical goals, in 
this paper we focus on the most efficient (four message, random oracle) version 
of our protocol, which is quite suitable for use in the context of our system. 



2 Related Work 

Two-party generation of DSA signatures falls into the category of threshold 
signatures, or more broadly, threshold cryptography. Early work in the field is 
due to Boyd ^], Desmedt |Hj, Croft and Harris jS|, Frankel H31, and Desmedt and 
Frankel jSj . Work in threshold cryptography for discrete-log based cryptosystems 
other than DSA is due to Desmedt and Frankel 0, Hwang m, Pedersen pni, 
Harn EH, Park and Kurosawa Herzberg et al. Frankel et al. and 
Jarecki and Lysyanskaya m- 

Several works have developed techniques directly for shared generation of 
DSA signatures. Langford m presents threshold DSA schemes ensuring un- 
forgeability against one corrupt player out of n > 3; of t corrupt players out of n 
for arbitrary t < n under certain restrictions (see below); and of t corrupt players 
out of n > t^ + t+1. Cerecedo et al. 0 and Gennaro et al. (SI present threshold 
schemes that prevent t corrupt players out of n > 2t -|- 1 from forging, and thus 
require a majority of correct players. Both of these works further develop robust 
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solutions, in which the t corrupted players cannot interfere with the other n — t 
signing a message, provided that stronger conditions on n and t are met (at least 
n > 3t -|- 1). However, since we consider the two party case only, robustness is 
not a goal here. 

The only previous proposal that can implement two-party generation of DSA 
signatures is due to Langford m Section 5.1], which ensures unforgeability 
against t corrupt players out of n for an arbitrary t < n. This is achieved, 
however, by using a trusted center to precompute the ephemeral secret key k 
for each signature and to share k~^ mod q and k~^x mod q among the n par- 
ties. That is, this solution circumvents the primary difficulties of sharing DSA 
signatures — inverting a shared secret and multiplying shared secrets, as discussed 
in Section □-by using a trusted center. Recognizing the significant drawbacks 
of a trusted center, Langford extends this solution by replacing the trusted cen- 
ter with three centers (that protect k~^ and k~^x from any one) |2ti| Section 
5.2], thereby precluding this solution from being used in the two-party case. In 
contrast, our solution suffices for the two-party case without requiring the play- 
ers to store precomputed, per-signature values. Since our motivating application 
naturally admits a trusted party for initializing the system (see m), for the 
purposes of this extended abstract we assume a trusted party to initialize a I ice 
and bob with shares of the private signing key. In the full version of this paper, 
we will describe the additional machinery needed to remove this assumption. 

3 Preliminaries 

Security parameters. Let k be the main cryptographic security parameter used 
for, e.g., hash functions and discrete log group orders; a reasonable value today 
may be k = 160. We will use k' > k as a, secondary security parameter for public 
key modulus size; reasonable values today may be k' = 1024 or k’ = 2048. 

Signature schemes. A digital signature scheme is a triple {Gsig,S,V) of algo- 
rithms, the first two being probabilistic, and all running in expected polyno- 
mial time. Gsig takes as input 1” and outputs a public key pair {pk,sk), i.e., 
{pk, sk) ^ Gsig{l’^ ). S takes a message m and a secret key sk as input and out- 
puts a signature cr for m, i.e., a <— Ssk{iTi). V takes a message m, a public key 
pk, and a candidate signature a' for m and returns the bit 6 = 1 if cr' is a valid 
signature for m, and otherwise returns the bit 6 = 0. That is, 6 <— Vpk{m,a'). 
Naturally, if cr ^ S'sfe(m), then Vpk(rn, a) = 1. 

DSA. The Digital Signature Algorithm |2S] was proposed by NIST in April 
1991, and in May 1994 was adopted as a standard digital signature scheme 
in the U.S. ^2|- It is a variant of the ElGamal signature scheme □]], and is 
defined as follows, with k = 160, k' set to a multiple of 64 between 512 and 
1024, inclusive, and hash function hash defined as SHA-1 HH. Let “z S'” 
denote the assignment to z of an element of S selected uniformly at random. 
Let =q denote equivalence modulo q. 
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Gdsa{^'^ ): 






(m): 



^<g,p,q,y>{'^^ S>): 



Generate a K-bit prime q and /c'-bit prime p such that 
q divides p — 1 . Then generate an element g of order q 
in Z*. The triple <g,p,q> is public. Finally generate 
X hq and y g^ mod p, and let <g,p,q,x> and 
<g,p,q,y> be the secret and public keys, respectively. 
Generate an ephemeral secret key k t— ^ Zg and 
ephemeral public key r g^ mod p. Gompute s t— 
/c“^(hash(m) + xr) mod q. Return <r mod g, s> as 
the signature of m. 

Return lif0<r<(7, 0<s<9, and r =q 
^ghash{m)s ^ yVs ^ mod p) where is computed mod- 
ulo q. Otherwise, return 0. 



Encryption schemes. An encryption scheme is a triple {Gene, E, D) of algo- 
rithms, the first two being probabilistic, and all running in expected polyno- 
mial time. Gene takes as input 1'^ and outputs a public key pair {pk,sk), i.e., 
{pk,sk) Genc(l^ )■ E takes a public key pk and a message m as input and 
outputs an encryption c for m; we denote this c ■(— Ep]^{m). D takes a ciphertext 
c and a secret key sk and returns either a message m such that c is a valid 
encryption of m, if such an m exists, and otherwise returns T. 

Our protocol employs a semantically secure encryption scheme with a certain 
additive homomorphic property. For any public key pk output from the Gene 
function, let Mpk be the space of possible inputs to Epu, and Gpk to be the 
space of possible outputs of Ep]^. Then we require that there exist an efficient 
implementation of an additional function -l-p^ : Gpk x Gpk — t Gpk such that 
(written as an infix operator) : 

mi, m2, mi + m2 G Mpk => Dsk{Epk{mi) +pk Epk{m2)) = mi + m 2 ( 1 ) 

Examples of cryptosystems for which +pk exist (with Mpk = u] for a certain 
value v) are due to Naccache and Stern m, Okamoto and Uchiyama ISD], and 
Paillier Note that further implies the existence of an efficient function 

Xpfc : Gpk X Mpk -A Gpk such that 

mi,m2,mim2 € Mpk ^ Dsk{Epk{mi) Xpk m 2 ) = mim2 ( 2 ) 

In addition, in our protocol, a party may be required to generate a nonin- 
teractive zero knowledge proof of a certain predicate P involving decryptions 
of elements of Gpk, among other things. We denote such a proof as zkp[P]. 
In Section 10 we show how these proofs can be accomplished if the Paillier 
cryptosystem is in use. We emphasize, however, that our use of the Paillier cryp- 
tosystem is only exemplary; the other cryptosystems cited above could equally 
well be used with our protocol. 

^ The cryptosystem of Benaloh [Q also has this additive homomorphic property, and 
thus could also be used in our protocol. However, it would be less efficient for our 
purposes. 
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System model. Our system includes two parties, alice and bob. Communication 
between alice and bob occurs in sessions (or protocol runs), one per message that 
they sign together, alice plays the role of session initiator in our protocol. We 
presume that each message is implicitly labeled with an identifier for the session 
to which it belongs. Multiple sessions can be executed concurrently. 

The adversary in our protocol controls the network, inserting and manip- 
ulating communication as it chooses. In addition, it takes one of two forms: 
an a I ice-compromising adversary learns all private initialization information for 
alice. A bob-compromising adversary is defined similarly. 

We note that a proof of security in this two-party system extends to a proof of 
security in an n-party system in a natural way, assuming the adversary decides 
which parties to compromise before any session begins. The basic idea is to 
guess for which pair of parties the adversary forges a signature, and focus the 
simulation proof on those two parties, running all other parties as in the real 
protocol. The only consequence is a factor of roughly lost in the reduction 
argument from the security of the signature scheme. 

4 Signature Protocol 

In this section we present a new protocol called S-DSA by which alice and bob 
sign a message m. 

4.1 Initialization 

For our signature protocol, we assume that the private key x is multiplicatively 
shared between alice and bob, i.e., that alice holds a random private value x\ G 
and bob holds a random private value X2 G Z^ such that x =q XiX2- We also 
assume that along with y, y\ = mod p and y2 = mod p are public. In this 
extended abstract, we do not concern ourselves with this initialization step, but 
simply assume it is performed correctly, e.g., by a trusted third party. We note, 
however, that achieving this without a trusted third party is not straightforward 
(e.g., see ini)> and so we will describe such an initialization protocol in the full 
version of this paper. 

We use a multiplicative sharing of x to achieve greater efficiency than using 
either polynomial sharing or additive sharing. With multiplicative sharing of 
keys, inversion and multiplication of shared keys becomes trivial, but addition 
of shared keys becomes more complicated. For DSA, however, this approach 
seems to allow a much more efficient two-party protocol. 

In addition to sharing x, our protocol assumes that alice holds the private key 
sk corresponding to a public encryption key pk, and that there is another public 
encryption key pk' for which alice does not know the corresponding sk' . (As 
above, we assume that these keys are generated correctly, e.g., by a trusted third 
party.) Also, it is necessary for our particular zero-knowledge proof constructions 
that the range of Mpk be at least [— and the range of Mpk' be at least 
[— g®, g®], although we believe a slightly tighter analysis would allow both to have 
a range of [— g®, g®]. 
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4.2 Signing Protocol 

The protocol by which a I ice and bob cooperate to generate signatures with re- 
spect to the public key <g,p, q, y> is shown in Figure^ As input to this protocol, 
alice receives the message m to be signed, bob receives no input (but receives m 
from alice in the first message). 

Upon receiving m to sign, alice first computes its share ki of the ephemeral 
private key for this signature, computes Zi = mod q, and encrypts both 

and xizi mod q under pk. alice’s first message to bob consists of m and these 
ciphertexts, a and C- bob performs some simple consistency checks on a and C 
(though he cannot decrypt them, since he does not have sfc), generates his share 
^2 of the ephemeral private key, and returns his share T2 = mod p of the 
ephemeral public key. 

Once alice has received T2 from bob and performed simple consistency checks 
on it (e.g., to determine it has order q modulo Zp, she is able to compute the 
ephemeral public key r = (c2)^^ modp, which she sends to bob in the third 
message of the protocol, alice also sends a noninteractive zero-knowledge proof 
n that there are values iji (= Zi) and r]2 (= XiZi mod q) that are consistent 
with r, T2, 2/1, a and C, and that are in the range [—q^,q^]. This last fact is 
necessary so that bob’s subsequent formation of (a ciphertext of) s does not leak 
information about his private values. 

Upon receiving <r, 7 T>, bob verifies II and performs additional consistency 
checks on r. If these pass, then he proceeds to compute a ciphertext p, of the value 
s (modulo q) for the signature, using the ciphertexts a and C received in the first 
message from alice; the values hash(m), Z2 = (^2)”^ mod q, r mod q, and X2] and 
the special Xpk and +pk operators of the encryption scheme. In addition, bob uses 
+pk to “blind” the plaintext value with a random, large multiple of q. So, when 
alice later decrypts p, she statistically gains no information about bob’s private 
values. In addition to returning p, bob computes and returns p' •<— Epk'{z2) and 
a noninteractive zero-knowledge proof II' that there are values rji (= Z2) and 
V2 (= X2Z2 modp) consistent with r2, 2/2, P and p', and that are in the range 
[— After receiving and checking these values, alice recovers s from p to 
complete the signature. 

The noninteractive zero-knowledge proofs II and II' are assumed to satisfy 
the usual completeness, soundness, and zero-knowledge properties as defined 
in PEHI, except using a public random hash function (i.e., a random oracle) 
instead of a public random string. In particular, we assume in Section El that ( 1 ) 
these proofs have negligible simulation error probability, and in fact a simulator 
exists that generates a proof that is statistically indistinguishable from a proof 
generated by the real prover, and ( 2 ) these proofs have negligible soundness error 
probability, i.e., the probability that a prover could generate a proof for a false 
statement is negligible. The implementations of II and II' in Section 0 enforce 
these properties under reasonable assumptions. To instantiate this protocol with- 
out random oracles, II and II' would need to become interactive zero-knowledge 
protocols. It is not too difficult to construct four-move protocols for II and II', 
and by overlapping some messages, one can reduce the total number of moves in 
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this instantiation of the S-DSA protocol to eight. For brevity, we omit the full 
description of this instantiation. 

When the zero-knowledge proofs are implemented using random oracles, we 
can show that our protocol is secure even when multiple instances are executed 
concurrently. Perhaps the key technical aspect is that we only require proofs of 
language membership, which can be implemented using random oracles without 
requiring rewinding in the simulation proof. In particular, we avoid the need for 
any proofs of knowledge that would require rewinding in knowledge extractors 
for the simulation proof, even if random oracles are used. The need for rewinding 
(and particularly, nested rewinding) causes many proofs of security to fail in the 
concurrent setting (e.g., m)- 

5 Security for S-DSA 

In this section we sketch a formal proof of security for our protocol. We begin 
by defining security for signatures and encryption in Section h. ll a.nd for S-DSA 
in Section ITT^l We then state our theorems and proofs in Section tTT!l 



5.1 Security for DSA and Encryption 

First we state requirements for security of DSA and encryption. For DSA, we 
specify existential unforgeability versus chosen message attacks That is, 
a forger is given <g,p,q,y>, where {<g,p,q,y>,<g,p,q,x>) ^ Gdsa{^'^'), 
and tries to forge signatures with respect to <g,p,q,y>. It is allowed to query 
a signature oracle (with respect to <g,p,q,x>) on messages of its choice. It 
succeeds if after this it can output some (m,cr) where V<g,p, 5 ,y>(TO, cr) = I 
but m was not one of the messages signed by the signature oracle. We say a 
forger (g, e)-breaks DSA if the forger makes q queries to the signature oracle and 
succeeds with probability at least e. 

For encryption, we specify semantic security m- That is, an attacker A is 
given pk, where {pk,sk) ^ G'enc(l” )■ A generates Xq,Xi G Mpk and sends 
these to a test oracle, which chooses b {0,1}, and returns Y = Epk{Xb). 
Finally A outputs b', and succeeds if b' — b. We say an attacker A e-breaks 
encryption if 2 • Pr(A succeeds) — 1 > e. Note that this implies Pr(A guesses 0 | 
6 = 0) — Pr(A guesses 0 | 6 = 1) > e. 

5.2 Security for S-DSA 

A forger F is given <g,p,q,y>, where {<g,p,q,y>, <g,p,q,x>) ^ Gdsa{^'^'), 
and the public data generated by the initialization procedure for S-DSA, along 
with the secret data of either alice or bob (depending on the type of forger). As 
in the security definition for signature schemes, the goal of the forger is to forge 
signatures with respect to <g,p, q,y>. Instead of a signature oracle, there is an 
alice oracle and a bob oracle. 
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alice bob 

k\ i Fi Zg 

Z1 (fei)“^ mod q 
OC i Epki^Zl') 

C Epk{xiZi mod q) 

<m,aX> 



abort if (a ^ Cpk V C ^ C'pfc) 

r 2 <— mod p 
T2 



abort if (r2 ^ Z* V 
r <— (r2)^^ mod p 

■■ 



n -s— zkp 



A 

A 

A 

A 



(r 2 )« 1 ) 

Vi,V 2€ [-q^,q^] 

r''! =p V2 

„m/m = ,, 
y —p yi 

Dsk{a) =q VI 

D sk (C) — <? ^2 



<r,n> 



abort if {r ^ Zp V 1 ) 

abort if (verify(iT) = false) 
m' <r- hash(m) 
r' r mod q 
Z2 <— (^2)”^ mod q 

C i R Zg5 

p -s- (a Xpfc m'z 2 ) +pk 

(C Xpk r'x2Z2) +pfc Epk{cq) 

p i Epf^t(^Z 2 ^ 



n' ^ zkp 



3??i,r?2: Vi,V2 [~q^,q^] 

A {r2)"’^ =p g 

A 3 ’'^/’'! =p V 2 

A Dsk'{p')=qVl 

A Dsk{p) =q Dsk{{a Xpk m'pi) 

Epk (C ^pfc X 32 )) 



<p,p',n'> 



abort if (3 ^ Cpk V p' ^ Cpy) 
abort if (verify (If') = false) 
s ■«— Dsk{p) mod q 
publish <r mod q, s> 



Fig. 1. S-DSA shared signature protocol 
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F may query the a I ice oracle by invoking alicelnvl(m), alicelnv2(r2) , or 
alicelnv3{<fi, n' , U'>) for input parameters of F’s choosing. (These invocations 
are also accompanied by a session identifier, which is left implicit.) These in- 
vocations correspond to a request to initiate the protocol for message m and 
the first and second messages received ostensibly from bob, respectively. These 
return outputs of the form <m,a,^>, <r,II>, or a signature for the message 
m from the previous aliceinvl query in the same session, respectively, or abort. 
Analagously, F may query the bob oracle by invoking bobInvl{<m,a,(^>) or 
bobInv2{<r, U>) for arguments of the F’s choosing. These return messages of 
the form C 2 or <^, fj,' , FI'>, respectively, or abort. F may invoke these queries 
in any order, arbitrarily many times. 

An a I ice-compromising forger F succeeds if after gaining access to the private 
initialization state of a I ice, and invoking the a I ice and bob oracles as it chooses, it 
can output (m, <t) where cr) = 1 and m is not one of the messages 

sent to bob in a bobinvl query. Similarly, a bob-compromising forger F succeeds 
if after gaining access to the private initialization state of bob, and invoking the 
alice and bob oracles as it chooses, it can output (m, a) where V^g^p^q^y^{m, a) = 
1 and m is not one of the messages sent to alice in a aliceinvl query. 

Let (jaiice be the number of aliceinvl queries to alice. Let q^oh be the num- 
ber of bobinvl queries. Let Qo be the number of other oracle queries. Let 
q = <<?aiice,<7bob,9o>- In a slight abuse of notation, let |g| = Malice + 9bob + <7o, 
i.e., the total number of oracle queries. We say a forger (g, e) -breaks S-DSA if 
it makes |g| oracle queries (of the respective type and to the respective oracles) 
and succeeds with probability at least e. 

5.3 Theorems 

Here we state theorems and provide proof sketches showing that if a forger 
breaks the S-DSA system with non-negligible probability, then either DSA or the 
underlying encryption scheme used in S-DSA can be broken with non-negligible 
probability. This implies that if DSA and the underlying encryption scheme are 
secure, our system will be secure. 

We prove security separately for a I ice-compromising and bob-compromising 
forgers. The idea behind each proof is a simulation argument. Assuming that 
a forger F can break the S-DSA system, we then construct a forger F* that 
breaks DSA. Basically F* will run F over a simulation of the S-DSA system, 
and when F succeeds in forging a signature in the simulation of S-DSA, then 
F* will succeed in forging a DSA signature. 

In the security proof against an a I ice-compromising forger F, there is a slight 
complication. If F were able to break the encryption scheme (Gene, E, D), an 
attacker F* as described above may not be able to simulate properly. Thus we 
show that either F forges signatures in a simulation where the encryptions are 
of strings of zeros, and thus we can construct a forger F* for DSA, or F does not 
forge signatures in that simulation, and thus it must be able to distinguish the 
true encryptions from the zeroed encryptions. Then we can construct an attacker 
A that breaks the underlying encryption scheme. A similar complication arises 
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in the security proof against a bob-compromising forger F, and the simulation 
argument is modified in a similar way. 

Theorem^below states that an a I ice-compromising forger that breaks S-DSA 
with a non-negligible probability can break either DSA or {Gene, E, D) with non- 
negligible probability. Theorem^ makes a similar claim for a bob-compromising 
forger. In these theorems, we use to indicate equality to within negligible 
factors. Moreover, in our simulations, the forger F is run at most once, and so 
the times of our simulations are straightforward and omitted from our theorem 
statements. 

Theorem 1. Suppose an sWee- compromising forger {jq,e)-breaks S-DSA. Then 
either there exists an attacker that e' -breaks {Gene, E, D) with e' ~ 2qGb’ there 
exists a forger that {q^ob, e")-breaks DSA with e" Ri |. 

Proof. Assume an a I ice-compromising forger F (q, e)-breaks the S-DSA scheme. 
Then consider a simulation Sim of the S-DSA scheme that takes as input a DSA 
public key <g,p,q,y>, a corresponding signature oracle, and a public key pk' 
for the underlying encryption scheme. SiM generates the initialization data for 
alice: x\ t— Z, and {pk, sk) ^ Gene{^'^ ), and gives these to F. The public data 
y, 2/2 = g^^^ mod p, and pk' are also revealed to F. Then Sim responds 

to alice queries as a real alice oracle would, and to bob queries using the help of 
the DSA signature oracle, since SiM does not know the X 2 value used by a real 
bob oracle. Specifically SiM answers as follows: 

1. bobInvl{<m, a, Q>)\ Set z\ ^ Dg}^{a). Query the DSA signature oracle with 
m to get a signature <f, s>, and compute r ^ ghash(m)s yvs ^lod p where 

is computed modulo q. Compute r 2 •<— mod p, and return r 2 . 

2. bobInv2{<r, 1J>): Reject if 7T is invalid, r ^ Z* or r'^ 1. Else, choose 

c Zq5 and set p, ^ Epk{s cq) . Set p,' ^ Epi^fO), and generate II' using 
the simulator for the zkp []. Return <p,p' ,II'>. 

Notice that Sim sets p' to an encryption of zero, and simulates the proof of 
consistency II' . In fact, disregarding the negligible statistical difference between 
the simulated II' proofs and the real II' proofs, the only way Sim and the real 
S-DSA scheme differ (from F’s viewpoint) is with respect to the p' values, i.e., 
the (at most) qbob ciphertexts generated using pk' . 

Now consider a forger F* that takes as input a DSA public key 
<g,p, q, y> and corresponding signature oracle, generates a public key pk' using 
<pk' , sk'> <— Ge„c(l” )i runs Sim using these parameters as inputs, and outputs 
whatever F outputs. If F produces a forgery with probability at least | in Sim, 
F* produces a forgery in the underlying DSA signature scheme with probability 
at least |. 

Otherwise F produces a forgery with probability less than | in Sim. Then 
using a standard hybrid argument, we can construct an attacker A that e'- 
breaks the semantic security of the underlying encryption scheme for pk', where 
e' ~ 2 ^- Specifically, A takes a public key pk' and corresponding test oracle 
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as input, generates a DSA public/private key pair {<g,p,q,y> , <g,p,q,x>) t— 
G'dsa( 1'‘ ), and runs a slightly modified Sim using <g,p, q, y> as the DSA public 
key parameter, simulating the DSA signature oracle with <g,p, q, x>, and using 
pk' as the public encryption key parameter. Sim is modihed only in the bobInv2 
query, as follows: 

1. A computes the value Z 2 •<— mod q, where k was computed in the 

simulation of the DSA signature oracle in the corresponding bobinvl query, 

2. A chooses to produce the hrst j ciphertexts under pk' as in the real protocol 
(i.e., p' ^ Epk'{z 2 )), for a random j G {0, . . . , gbob}, and 

3. A produces the next ciphertext under pk' by using the response from the 
test oracle with input Xq = Z 2 and Ai = 0. 

Finally A outputs 0 if F produces a forgery, and 1 otherwise. Since the case of j = 
0 corresponds to Sim, and the case of j = gbob corresponds to the real protocol, an 
averaging argument can be used to show that A e'-breaks the semantic security 
of the underlying encryption scheme for pk' with probability d « 2 “^ . 



Theorem 2. Suppose a hoh- compromising forger {q, e)-breaks S-DSA. Then ei- 
ther there exists an attacker that e'-breaks (Gene, E, D) with e' « , or there 

^yalice 

exists a forger that {qaHee, d') -breaks DSA, with e" ~ |. 

Proof. Assume a bob-compromising forger E {q, e)-breaks the S-DSA scheme. 
Then consider a simulation Sim of the S-DSA scheme that takes as input a DSA 
public key <g,p, q, y>, a corresponding signature oracle, and a public key pk for 
the underlying encryption scheme. Sim generates the initialization data for bob: 
X 2 Zq and {pk', sk') ^ Genc(l” ), and gives these to E. The public data y, 
yi = 9^^^ mod p, and pk are also revealed to F. Then Sim responds to 

bob queries as a real bob oracle would, and to alice queries using the help of the 
DSA signature oracle, since Sim does not know the xi value used by a real alice 
oracle. Specihcally Sim answers as follows: 

1. alicelnvl{m): Set a <— Epk(O) and ( <— Epk(O), and return <m,a,C,>. 

2. alicelnv2{r2). Reject if C 2 ^ Z* or (r 2 )'^ 1. Call the DSA signature oracle 

with m, let (f , s) be the resulting signature, and compute 

T ^ ^hash(m)s yVs mod p where is computed modulo q. Construct II 
using the simulator for the zkp []. Store <f, s> and return <r, iT>. 

3. alicelnv3{<p, p' , n'>): Reject if /i ^ Cpk, g,' ^ Cpk', or the veriheation of 
n' fails. Otherwise, return <r,s>. 

Notice that Sim sets a and C to encryptions of zero, and simulates the proof of 
consistency II. In fact, disregarding the negligible statistical difference between 
the simulated II proofs and the real II proofs, the only way Sim and the real 
S-DSA scheme differ (from F’s viewpoint) is with respect to the a and C values, 
i.e., the (at most) 2(7ai;ce ciphertexts generated using pk. 
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Now consider a forger F* that takes as input a DSA public key <g,p,q,y> 
and a corresponding signature oracle, generates a public key pk using 
<pk,sk> t— Genc(l” )j runs SiM using these parameters as inputs, and out- 
puts whatever F outputs. If F produces a forgery with probability at least | 
in Sim, F* produces a forgery in the underlying DSA signature scheme with 
probability at least 

Otherwise F produces a forgery with probability less than | in Sim. Then 
using a standard hybrid argument, we can construct an attacker A that e'- 
breaks the semantic security of the underlying encryption scheme for pk, where 
e' ~ Specifically, A takes a public key pk and corresponding test oracle 

as input, generates a DSA public/private key pair {<g,p,q,y>, <g,p,q,x>) -fr- 
Gdsa{^^ ), and runs a slightly modified SiM using <g,p, q, y> as the DSA public 
key parameter, and using pk as the public encryption key parameter. SiM is 
modified only in the a I ice oracle queries, as follows: 

1. In aliceinvl, 

a) A chooses to produce the first j ciphertexts under pk as in the real 
protocol (i.e., either a ^ Epk(zi) or ^ Epk{xiZ\ mod q)), for a random 

j G {0, . . . , 2(7a|j(;e} , 

b) A produces the next ciphertext under pk by using the response from the 
test oracle with input Xq being the plaintext from the real protocol (i.e., 
either Xq = zi or Xq = xiZi mod q, depending on whether j is even or 
odd) and Xi = 0. 

2. In alicelnv2, A computes r as in the real protocol, without calling the DSA 
signature oracle. 

3. In aliceInvS, instead of returning the result of calling the DSA signature ora- 
cle, A computes Z 2 ^ Dgk' {p') and ^2 ^ (-^ 2 )”^ mod q, sets k k±k 2 mod q, 
and returns the DSA signature for m using DSA secret key <g,p, q, x> with 
k as the ephemeral secret key. 

Finally A outputs 0 if F produces a forgery, and 1 otherwise. Since the case 
of J = 0 corresponds to SiM (in particular, notice that the distribution of r 
is identical), and the case of j = 2gaiice corresponds to the real protocol, an 
averaging argument can be used to show that A e'-breaks the semantic security 
of the underlying encryption scheme for pk with probability e' ~ ^ . 



6 Proofs n and II' 

In this section we provide an example of how alice and bob can efficiently con- 
struct and verify the noninteractive zero-knowledge proofs II and II' . The form 
of these proofs naturally depends on the encryption scheme {Gene, E, D), and 
the particular encryption scheme for which we detail 77 and 77' here is that due 
to Paillier m- We reiterate, however, that our use of Paillier is merely exem- 
plary, and similar proofs 77 and 77' can be constructed with other cryptosystems 
satisfying the required properties (see Sectional). 
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We caution the reader that from this point forward, our use of variables is 
not necessarily consistent with their prior use in the paper; rather, it is necessary 
to replace certain variables or reuse them for different purposes. 



6.1 The Paillier Cryptosystem 



A specific example of a cryptosystem that has the homomorphic properties 
required for our protocol is the first cryptosystem presented in m- It uses the 
facts that =tv 1 and =n^ 1 for any w G where X{N) is 

the Carmichael function of N. Let L be a function that takes input elements 
from the set {u < N‘^\u = 1 mod N} and returns L{u) = We then define 
the Paillier encryption scheme {Gpai, E, D) as follows. This definition differs 
from that in m only in that we define the message space Mpi^ for public key 
pk = <N,g> as M^^,g> = [—{N — l)/2, (N — l)/2] (versus Z^r in 1^ 1. 






E<N,g>{m): 

-D<7V,g.A(Af)>(c): 

Cl +<Af,g> C2'- 

c m. 



Choose Ac'/2-bit primes p,q, set N = pq, and choose 
a random element g € Z^a such that gcd(L(g^^^^ mod 
N'^),N) = 1. Return the public key <N,g> and the pri- 
vate key <N,g,\{N)>. 

Select a random x S Z^ and return c = g'^x^ mod N^. 
Compute m = ^ 2 ] mod N. Return m if m < 

{N — l)/2, and otherwise return m — N. 

Return C 1 C 2 mod N'^. 

Return c™ mod N“^. 



Paillier HP shows that both mod iV^ and mod iV^ are ele- 

ments of the form (1 -|- =at 2 1 + dN, and thus the L function can be 
easily computed for decryption. The security of this cryptosystem relies on the 
Decision Composite Residuosity Assumption, DCRA. 



6.2 Proof n 

In this section we show how to efficiently implement the proof U in our protocol 
when the Paillier cryptosystem is used. II' is detailed in Section ^31 Both proofs 
rely on the following assumption: 

Strong RSA Assumption. Given an RSA modulus generator Gp$A 
that takes as input 1” and produces a value N that is the product of 
two random primes of length k' /2, the Strong RSA assumption states 
that for any probabilistic polynomial-time attacker A\ 

Pr[A -4— ); y •<— Z^; (x, e) <— A(N, y) : (e > 3) A (y =at a;®)] 

is negligible. 

In our proofs, it is assumed that there are public values IV, hi and /i 2 - Sound- 
ness requires that N be an RSA modulus that is the product of two strong 
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primes and for which the factorization is unknown to the prover, and that the 
discrete logs of hi and /12 relative to each other modulo N are unknown to the 
prover. Zero knowledge requires that discrete logs of hi and /12 relative to each 
other modulo N exist (i.e., that hi and /12 generate the same group). As in Sec- 
tion here we assume that these parameters are distributed to a I ice and bob 
by a trusted third party. In the full paper, we will describe how this assumption 
can be eliminated. 

Now consider the proof II. Let p and g be as in a DSA public key, pk = 
<N,g> be a Paillier public key, and sk = <N,g,X{N)> be the corresponding 
private key, where TV > g®. For public values c, d, wi, W2, mi, m2, we construct 
a zero-knowledge proof II of: 



P = 



3x1, 2:2 : xi,X2 G 
A =p wi 

A Sp W 2 

A Dsk{mi) = xi 

A Dsk{m 2 ) = X 2 



The proof is constructed in Figure El and its verification procedure is given 
in Figure 01 We assume that c,d,wi,W2 G Z* and are of order g, and that 
mi, m2 G Z^2 • (The prover should verify this if necessary, and abort if not true.) 
We assume the prover knows a;i,a:2 G and ri,r2 G Z)^ such that =p wi, 
^x2/xi g^^{r2)^- The prover need not 

know sk, though a malicious prover might. If necessary, the verifier should verify 
that c,d,Wi,W2 G Z* and are of order q, and that mi, m2 G Z^2- 

Intuitively, the proof works as follows. Commitments and Z2 are made to 
xi and X2 over the RSA modulus N, and these are proven to fall in the desired 
range using proofs as in unj. Simultaneously, it is shown that the commitment 
corresponds to the decryption of toi and the discrete log of wi. Also simul- 
taneously, it is shown that the commitment Z2 corresponds to the decryption 
of 7712 , and that the discrete log of W2 is the quotient of the two commitments. 
The proof is shown in two columns, the left column used to prove the desired 
properties of xi, wi and mi, and the right column used to prove the desired 
properties of X2, W2 and m2- The proof of the following lemma will appear in 
the full version of this paper. 

Lemma 1. 7T zs a noninteractive zero-knowledge proof of P. 



6.3 Proof n' 

Now we look at the proof II' . Let p and q be as in a DSA public key, pk = <N, g> 
and sk = <N, g, \{N)> be a Paillier key pair with N > g®, and pk' = <N' , g'> 
and sk' = <N' , g' , \{N')> be a Paillier key pair with N' > g®. For values c, d, 
wi, W2, mi, m2, m3, 7774 such that for some 711,712 G [— g'^,g^], Dgkims) = ni 
and Dskimi) =712, we construct a zero- knowledge proof II' of: 
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P' = 



xi,X 2€ [~q^,q^] 

X3 G 



'3xi,X2,X3 
A 
A 
A 
A 

A Dsk{m2) = nixi + U2X2 -f qxz 



C ^ =pWl 
=p W2 
Dsk'(mi) = xi 



(P 



We note that P' is stronger than what is needed as shown in Figured The 
proof is constructed in Figured and the verification procedure for it is given in 
Figured We assume that c,d,wi,W 2 S 'Z* and are of order q, and that toi G 
and 7712 G (The prover should verify this if necessary.) We assume 

the prover knows a;i,a :2 G X 3 G and 7 ^ 1,72 G such that =p w\, 
^x 2 /xi =(A7')2 (g')'^^{ri)^' and m 2 =n^ {m^Y'^ {mAY'^ {r 2 )^ ■ The 



a •<— _B Zq3 

P t— ij WY 
7 '^q^N 

pi H Z^jY 



{hiY^ {h 2 )’’^ mod N 
Ml <r- c“ mod p 
M 2 ^ mod N'^ 

Ms {hiY(h 2 Y mod N 



e c- hash(c, wi,d, W2,mi,m2, 

51 <— eii -|- a 

5 2 t— (riYP mod N 

53 ^ epi+y 



S ■4— H Zq3 
p 4— M Z)^r 
V 4-m Z^3jv 
p2 4— i{ Z^JY 
Pa 4— M liq 

e 4 M Zq 

22 ^ modiV 

7 / 4— mod p 

Ml 4— mod p 

M 2 4— (w 2 )“d’' modp 

Ma 4— mod 

M 4 4 — {hiY Y 2 Y mod N 

, Ml, M 2 , Ma, 22 , 7 /, Ml, M 2 , 113 , 774 ) 

tl 4— 6272 -f 5 
t 2 4 — ep 3 -I- £ mod q 
ta 4— [r 2 Y p mod N'^ 
ti 4- ep 2 + 7/ 



77 4 — <«l, Ml, M 2 , Ms, 2 : 2 , 7 /, Ml , M 2 , Ma, M4, Sl, S 2 , Sa, tl , t 2 , ts, 74> 



Fig. 2. Construction of 77 



< 2 : 1 , Ml, M 2 , Ms, 22, y. Ml, M 2 , Ma, M4, Sl, S 2 , S 3 , tl, t 2 , ta, O 4— 77 
Verify si,ti G Z^s. Verify =p y®Mi. 

Verify =p (tmi)®mi. Verify {w 2 Y^d*^ =p y®M 2 . 

Verify =jv 2 (7ni)®M2. Verify =jq 2 (m 2 )®Ms. 



Verify =jv ( 2 i)®ms. 



Verify (/ii) i(fe 2 ) =jv (22 )'"m4. 



Fig. 3. Verification of 77 
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Fig. 4. Construction of U' 



<Zl, « 1 , tl 2 , « 3 , Z 2 , Z 3 ,y, VI, V 2 ,V 3 


J) 4 , Sl, « 2 , S3. * 1 , * 2 , * 3 , * 4 , * 5 , te> <— n' 


Verity si, ti G Z^3 . 


Verify y^v\. 


Verity (5 G 


Verify {w2)“^ =p y‘v2- 


Verify =p (wi)^ui. 


Verify (m3)°i (7714)*! (*3)''^ =^2 (m2)‘v3. 


Verity (*2)”^ =(N-/)2 (mi)®«2- 


Verify =jv (z2)“v4. 


Verity (/ii)'’i (^2)*’^ =« (zi)°“3- 


Verify (tii )*5 (tia)*® (z3)‘v5. 



Fig. 5. Verification of II' 

prover need not know sk or sk' , though a malicious prover might know sk' . We 
assume the verifier knows rii and H2 ■ If necessary, the verifier should verify that 
c,d,wi,W2 G Z* and are of order q, and that mi G ^2 G ZJ^a- The 

proof of the following lemma will appear in the full version of this paper. 

Lemma 2. II' is a noninteractive zero-knowledge proof of P' . 






Two-Party Generation of DSA Signatures 153 



References 

1. J. Benaloh. Dense probabilistic encryption. In Workshop on Selected Areas of Cryp- 
tography, pages 120-128, 1994. 

2. N. Baric and B. Pfitzmann. Collision-free accumulators and fail-stop signature 
schemes without trees. In EUROCRYPT ’96 (LNCS 1233), pages 480-494, 1997. 

3. M. Blum, A. DeSantis, S. Micali, and G. Persiano. Noninteractive zero-knowledge. 
SIAM Journal of Computing 20(6):1084-1118, 1991. 

4. C. Boyd. Digital multisignatures. In H. J. Beker and F. C. Piper, editors, Cryp- 
tography and Coding, pages 241-246. Clarendon Press, 1986. 

5. M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for design- 
ing efficient protocols. In 1°‘ ACM Conference on Computer and Communications 
Security, pages 62-73, November 1993. 

6. R. A. Croft and S. P. Harris. Public-key cryptography and reusable shared secrets. 
In H. Baker and F. Piper, editors. Cryptography and Coding, pages 189-201, 1989. 

7. M. Cerecedo, T. Matsumoto, H. Imai. Efficient and secure multiparty generation 
of digital signatures based on discrete logarithms. lEICE Trans. Fundamentals of 
Electronics Communications and Computer SciencesFi76A{4:):532-545, April 1993. 

8. Y. Desmedt. Society and group oriented cryptography: a new concept. In CRYPTO 
’,?7(LNCS 293), pages 120-127, 1987. 

9. Y. Desmedt and Y. Frankel. Threshold cryptosystems. In CRYPTO ’89 (LNCS 
435), pages 307-315, 1989. 

10. T. ElGamal. A public key cryptosystem and a signature scheme based on discrete 
logarithms. IEEE Transactions on Information Theory, 31:469-472, 1985. 

11. FIPS 180-1. Secure hash standard. Federal Information Processing Standards Pub- 
lication 180-1, U.S. Dept, of Commerce/NIST, National Technical Information Ser- 
vice, Springfield, Virginia, 1995. 

12. FIPS 186. Digital signature standard. Federal Information Processing Standards 
Publication 186, U.S. Dept, of Commerce/NIST, National Technical Information 
Service, Springfield, Virginia, 1994. 

13. Y. Frankel. A practical protocol for large group oriented networks. In EURO- 
CRYPT ’89 (LNCS 434), pages 56-61, 1989. 

14. Y. Frankel, P. MacKenzie, and M. Yung. Adaptively-secure distributed threshold 
public key systems. In European Symposium on Algorithms (LNCS 1643), pages 
4-27, 1999. 

15. E. Fujisaki and T. Okamoto. Statistical zero-knowledge protocols to prove modular 
polynomial relations. In CRYPTO ’97 (LNCS 1294), pages 16-30, 1997. 

16. R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust threshold DSS signa- 
tures. In EUROCRYPT ’96 (LNCS 1070), pages 354-371, 1996. 

17. R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Secure distributed key gen- 
eration for discrete-log based cryptosystems. In EUROCRYPT ’99 (LNCS 1592), 
pages 295-310, 1999. 

18. S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and 
System Sciences 28:270-299, 1984. 

19. S. Goldwasser, S. Micali, and R. L. Rivest. A digital signature scheme secure 
against adaptive chosen-message attacks. SIAM Journal of Computing 17(2):281- 
308, April 1988. 

20. L. Harn. Group oriented ft, n) threshold digital signature scheme and digital mul- 
tisignature. lEE Proc.-Comput. Digit. Tech. 141(5):307-313, 1994. 




154 



P. MacKenzie and M.K. Reiter 



21. A. Herzberg, M. Jakobsson, S. Jarecki, H. Krawczyk, and M. Yung. Proactive 
pnblic-key and signature schemes. In 4*** ACM Conference on Computer and Com- 
munications Security, pages 100-110, 1997. 

22. T. Hwang. Cryptosystem for group oriented cryptography. In EUROCRYPT ’90 
(LNCS 473), pages 352-360, 1990. 

23. S. Jarecki and A. Lysyanskaya. Adaptively secure threshold cryptography: intro- 
ducing concurrency, removing erasures. In EUROCRYPT 2000 (LNCS 1807), pages 
221-242, 2000. 

24. J. Kilian, E. Petrank, and C. Rackoff. Lower bounds for zero knowledge on the 
internet. In 39*** IEEE Symposium on Foundations of Computer Science, pages 
484-492, 1998. 

25. D. W. Kravitz. Digital signature algorithm. U.S. Patent 5,231,668, 27 July 1993. 

26. S. Langford. Threshold DSS signatures without a trusted party. In CRYPTO ’95 
(LNCS 963), pages 397-409, 1995. 

27. P. MacKenzie and M. K. Reiter. Networked cryptographic devices resilient to cap- 
ture. DIMACS Technical Report 2001-19, May 2001. Extended abstract in 2001 
IEEE Symposium on Security and Privacy, May 2001. 

28. D. Naccache and J. Stern. A new public-key cryptosystem. In EUROCRYPT ’97 
(LNCS 1233), pages 27-36, 1997. 

29. M. Naor and M. Yung. Public-key cryptosystems provably secure against chosen 
ciphertext attacks. In 22"“^ ACM Symposium on Theory of Computing, pages 427- 
437, 1990. 

30. T. Okamoto and S. Uchiyama. A new public-key cryptosystem, as secure as fac- 
toring. In EUROCRYPT ’98 (LNCS 1403), pages 308-318, 1998. 

31. P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. 
In EUROCRYPT ’99 (LNCS 1592), pages 223-238, 1999. 

32. C. Park and K. Kurosawa. New ElGamal type threshold digital signature scheme. 
lEICE Trans. Fundamentals of Electronics Communications and Computer Sci- 
ences E79A(l):86-93, January, 1996. 

33. T. Pedersen. A threshold cryptosystem without a trusted party. In EUROCRYPT 
’91 (LNCS 547), pages 522-526, 1991. 

34. A. Yao. Protocols for secure computation. In 23'^'* IEEE Symposium on Founda- 
tions of Computer Science, pages 160-164, 1982. 




Oblivious Transfer in the Bounded Storage 

Model 



Yan Zong Ding 

DEAS, Harvard University, Cambridge MA 02138, USA 
zongSdeas . harvard . edu 



Abstract. Building on a previous important work of Cachin, Crepeau, 
and Marcil we present a provably secure and more efficient protocol 
for -Oblivious Transfer with a storage-bounded receiver. A public ran- 
dom string of n bits long is employed, and the protocol is secure against 
any receiver who can store yn bits, 7 < 1. Our work improves the work 
of CCM f I in two ways. First, the CCM protocol requires the sender 
and receiver to store 0{n‘^) bits, c ~ 2/3. We give a similar but more effi- 
cient protocol that just requires the sender and receiver to store 0(\/kn) 
bits, where fc is a security parameter. Second, the basic CCM Protocol 
was proved in uni to guarantee that a dishonest receiver who can store 
0(n) bits succeeds with probability at most d ~ 1/3, although 

repitition of the protocol can make this probability of cheating exponen- 
tially small EDI. Combining the methodologies of El and in , we prove 
that in our protocol, a dishonest storage-bounded receiver succeeds with 
probability only without repitition of the protocol. Our results 

answer an open problem raised by CCM in the affirmative. 



1 Introduction 

Oblivious Transfer (OT) was introduced by Rabin 1981, and has since 

then become one of the most fundamental and powerful tools in cryptography. 
An important generalization, known as one-out-of-two oblivious transfer and 
denoted (^)-OT, was introduced by Even, Goldreich, and Lempel [23 in 1982. 
Informally speaking, in a (^)-OT, a sender Alice has two secret bits Mq,Mi € 
{0,1}, and a receiver Bob has a secret bit S € {0,1}. Alice sends Mq,Mi in 
such a way that Bob receives Ms, but does not learn both Mq and Mi, and 
Alice learns nothing about S. Crepeau proved in 1987 that OT and (^)-OT are 
equivalent m In 1988, Kilian proved that every secure two-party and multi- 
party computation can be reduced to OT m- 

Traditionally, protocols for OT have been based on unproven complexity 
assumptions that certains problems, such as integer factorization, are computa- 
tionally hard, or that trapdoor permutations exist. The solutions so obtained, 
although significant, have a drawback. Namely, they do not guarantee everlasting 
security. A dishonest player can store the entire conversation during the proto- 
col, and attempt to subvert the security of the protocol later, when enabled by 
breakthroughs in computing technology and/or code-breaking algorithms. While 
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determining the computational complexity of factorization, or proving the exis- 
tence of trapdoor permutations, is still beyond the reach of complexity theory, 
continuing advances in factoring algorithms will jeopardize the security of pro- 
tocols based on factoring. In addition, these protocols will become insecure if 
quantum computers become available m- Similar threats exist for protocols 
based on other hardness assumptions. We thus seek protocols that are provably 
secure in face of any future advances in algorithms and computing technology. 

The ground breaking work of Cachin, Crepeau, and Marcil uni in 1998 gave 
the first provably secure protocol for (^)-OT in the Bounded Storage Model, 
without any complexity assumption. The bounded storage model, introduced 
by Maurer 123 , imposes a bound B on the adversary’s storage capacity only. 
A public random string of n bits long, n > B, is employed in order to defeat 
the adversary. Although a trusted third party is not necessary in principle, in a 
practical implementation, the string a may be one in a steady flow of random 
strings a\, a 2 , ■ ■ ■, each of length n, broadcast from a satellite at a very high rate, 
and available to all. When a is broadcast, the adversary is allowed to compute 
an arbitrary function / on a, provided that the length |/(a)| < B. 

In the context of OT, the storage bound is placed on one of the two par- 
ties, WLOG say the receiver. By the reversibility of OT EH, the case where 
the storage bound is placed on the sender, is equivalent. The COM protocol ESI 
guarantees provable security against any dishonest sender who is unbounded in 
every way, and against any computationally unbounded dishonest receiver who 
stores no more than B = yn bits, 7 < 1. Furthermore, the security against a 
dishonest receiver is preserved regardless of future increases in storage capacity. 
Together with the completeness of OT 1221, a fundamental implication of ESI is 
that every information-theoretically secure two-party and multi-party computa- 
tion, in principle, is feasible in the bounded storage model. 

The work of COM jTSj, however, has two undesirable aspects. First, while 
providing security against a dishonest receiver who stores B = 0{n) bits, the 
COM protocol also requires honest sender and receiver to store 0{n^) bits, c ^ 
2/3. Since n is very large, this requirement could be rather excessive. Second, 
the COM protocol was proved in m to guarantee that a receiver who stores 
0{n) bits succeeds with probability at most d ~ 1/3. Note that this 

probability is usually not as small as desired. Of course, repitition of the protocol 
can make this probability of cheating exponentially small m- 

Our Results. Building on the work of Cachin, Crepeau, and Marcil E3, we give a 
similar but more efficient protocol for (^)-OT in the bounded storage model. The 
major difference between our protocol and the CCM Protocol is that the CCM 
Protocol uses an extra distillation step, which involves many bits divided into 
polynomially large blocks, and the extraction of a nearly random bit from each 
block. Getting rid of this distillation step, we reduce the storage requirement 
to 0(\/fcn), where fc is a security parameter. Combining the methodologies of 
m and ES], we prove that in our protocol, any dishonest receiver who stores 
0{n) bits succeeds with probability at most , without repetition of the 

protocol. Our results answer positively an open problem raised in ES]. 
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l. 1 Related Work 

OT and (J)-OT were introduced by Rabin m and Even et al respectively. 
Their equivalence was established by Crepeau m- There is a vast literature on 
the relationships between OT and other cryptographic primitives, and between 
OT variants. OT can be used to construct protocols for secret key agreement 

m, 0, is2i, contract signing I2S1, bit commitment and zero-knowledge proof 

|E3 j general secure multi-party computation |H|) liUji IHiij) PSjt 
m, m- It was proved by Kilian that every secure two-party and multi-party 
computation reduces to OT m- Information-theoretic reductions between OT 
variants were studied in uni, [m, m. eoi, m, m. m 

In traditional cryptography, protocols for OT have been designed under the 
assumptions that factoring is hard m, discret log is hard 0, and trapdoor 
permutations exist m, 1^21, pm, m- OT has also been studied in the quantum 
model |7| , and the noisy channel model m- Recently OT has been extended to 
various distributed and concurrent settings p, urn, and these protocols 

are either based on complexity assumption, or information-theoretically secure 
using private channels and auxilliary servers. Cachin, Crepeau, and March cm 
gave the first secure two-party protocol for (^)-OT in the bounded storage and 
public random string model, without any complexity assumption, and without 
private channels or auxilliary servers. 

The public random string model was introduced by Rabin |4Sj . The bounded 
storage model was introduced by Maurer m Secure encryption in the bounded 
storage model was first studied in pm, cm , but later significantly stronger results 
appeared in ra, im, m- Information-theoretically secure key agreement was 
investigated in PH|, PS|, Cm^ ^3; EJi S3- 

The bounded space model for zero-knowledge proof was studied in EH], m. 

Pseudorandomness in the bounded space model was stud- 
ied in m, m- However, note the important difference between the bounded 
space model and the bounded storage model: the bounded space model imposes 
a bound on the computation space of the adversary, whereas in the bounded 
storage model the adversary can compute an function with arbitrarily high com- 
plexity, provided that the length of the output is bounded. 

2 Preliminaries 

This section provides the building blocks for our protocol and analysis. Through- 
out the paper, fc is a security parameter, n is the length of a public random string, 
and B = jn, 7 < 1, is the storage bound on the receiver Bob. For simplicity and 
WLOG, we consider B = n/6 (i.e. 7 = 1/6). Similar results hold for any 7 < 1. 

Definition 1. Denote [n] = {1, . . . ,n}. Let K, = {s C [n] : |s| = k} he the set 
of all k-element subsets of [n]. 

Definition 2. For s = {ai, . . . ,at} G JC and a G {0,1}”, define s{a) = 
©ti a[ai], where © denotes XOR, and a[ai] is the Oi-th bit of a. 
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Definition 3. Let H C {0, 1}"". Let s € 1C. We say that s is good for H if 
|{a S H : s(a) = 0}| |{a G H : s{a) = 1}| 

\H\ \H\ 

Thus, if s is good for H, then {s(a) : a G H} is well balanced between O’s and 
I’s. 

Definition 4. Let H C {0, 1}"". We say that H is fat if \H\ > 

The following Lemma E says that if H is fat, then almost all s G K, are good 
for H. The lemma follows directly from Main Lemma 1 of El, by considering 
/c-tuples in [n]^ with distinct coordinates. 

Lemma 1. Let H C {0, 1}". Denote 

Bh = {s G K \ s is not good for H} . (2) 

If H is fat, and k < then 

\Bh\ < |/C|-2-'=/3 = Q-2-'=/3. (3) 

In Appendix A we will give a proof lemma H from Main Lemma 1 of El- 



< 2 "'=/^ ( 1 ) 



Notation: Let A be a finite set. The notation x < — F denotes choosing x 
uniformly from F. 



Lemma 2. Let 0 < 7, ^ < 1 and < 1 — 7. For any function f : {0, 1}" 
/oro A {0,1}", 



Pr 



\f-\f{a))\ > 



> 1 - 2 - 



Proof Any function / : (0, 1}" — >■ (0, 1}"*'" partitions (0, 1}" into 2 '>'" disjoint 
subsets l7i, . . . , 172^", one for each 77 G (0, 1}^", such that for each i, Va,/3 G I7i, 
f{a) = f{P) = r]i G (0, 1}^”. Let /i = 1 — 7 — j/. We now bound the number of 
a G {0,1}" s.t. \f~^{f{ce))\ < 2 ^"'. Since there are at most 2 '>'” j’s such that 
\L2j \ < 2^", it follows that 

|{aG{0,l}":|rH/(o))| < 2'^"}| = ^ |f2,| 



^ The condition k < yjn in Lemma Q] is valid, because fe, the security parameter (e.g. 
k = 1000), is negligbly small compared to n (e.g. n = 10^®), which is larger than the 
adversary’s storage capacity. 
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Therefore, for a {0, 1}" 



Pr[|/-i(/(a))| < 2^"] 



{gg{0,ir : |/-i(/(g))| < 2^"} 



2 " 



< 



o(l — 

= 2 “'"” 



□ 



Corollary 1. For any function f : {0, 1}" — {0, 1}"^®, for a {0, 1}", 
Fr[f-\f{a))isfat\ > 



The rest of this section is devoted to the crucial tools employed by the CCM 
Protocol and our protocol. 

2.1 Birthday Paradox 

Lemma 3. Let A,Bd [n] be two independent random subsets of [n] with \A\ = 
\B\ = u. Then the expected size if[|.4ni3|] = vf/n. 

Corollary 2. Let A,Bg [n] be two independent random subsets of [n\ with 
|.A| = \B\ = \/kn. Then the expected size if[|^ni3|] = k. 

We now wish to bound the probability that |.A fl S| deviates from the ex- 
pectation. Note that standard Chernoff-Hoeffding bounds do not directly apply, 
since elements of the subsets A and B are chosen without replacement. We use 
the following version of Chernoff-Hoeffding from 

Lemma 4. ^ Let Z\, . . . , be Bernoulli trials (not necessarily independent), 
and let 0 < Pi < 1, 1 < i < u. Assume that V i and V (ei, • • • , e^-i) S {0, 1}* 



Corollary 3. Let A,B <Z [n] be two independent random subsets of [n\ with 
|.4.| = \B\ = 2^/kn. Then 



Proof. Let 7 = 1/6 and v = 0.02 in Lemma 0 



□ 



Pr [Zi = 1 I Zi = ei, . . . , Zi_i = Ci-i] > pi. 
Let W = Yl'i=iPi- Then for 5 < 1, 




( 4 ) 



PT[\AnB\ < k] < 



( 5 ) 
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Proof. Let u = 2Vkn. Consider any fixed u-subset B G [n], and a randomly 
chosen w-subset A = {Ai, . . . , Au} C [n]. For i = 1, . . . , u, let be the Bernoulli 
trial such that Zi = 1 li and only if Ai G B. Then clearly 



Pr[Z, = l I = = 

n — (I — 1} n 



.( 6 ) 



Let Pi = - — Let W = Then by ( 0 ), 



W > --y"i > — = 2k. 

n ^ 2n 



( 7 ) 



Therefore, (0 follows from ( 0 ) and ( 0 ), with <5 = 1/2. 



2.2 Interactive Hashing 

Interactive Hashing is a protocol introduced by M. Noar, Ostrovsky, Venkate- 
san, and Yung in the context of bit commitment and zero-knowledge proof |4il| . 
Cachin, Crepeau, and March [El gave a new elegant analysis of interactive 
hashing. The protocol involves two parties, Alice and Bob. Bob has a secret t- 
bit string y G T C {0, 1}*, where |T| < 2*“^ and T is unknown to Alice. The 
protocol is defined to be correct and secure if 

1. Bob sends y in such a way that Alice receives two strings Xo,Xi ^ 
one of which is x, but Alice does not know which one is x- 

2. Bob cannot force both xo and xi to be in T. 

The following interactive hashing protocol is due to m- The same idea involv- 
ing taking inner products over GF{2), was first introduced by Valiant and V. 
Vazirani earlier in the complexity of UNIQUE SATISFIABILITY . 

NOVY Protocol: Alice randomly chooses t — 1 linearly independent vectors 
oi, . . . , at-i G {0, 1}*. The protocol then proceeds in t — 1 rounds. In Round i, 
for each i = 1, . . . , t — I, 

1. Alice sends Oi to Bob. 

2. Bob computes bi = ai ■ x, where • denotes inner product, and sends bi to 
Alice. 

After the t — 1 rounds, both Alice and Bob have the same system of linear 
equations ai ■ x = bi over GF{2). Since the vectors ai,...,at_i G {0,1}* are 
linearly independent, the system of t — 1 linear equations over GF(2) with t 
unknowns has exactly two solutions, one of which is x- Therefore, by solving the 
systems of equations Qi-x = bi, Alice receives two strings xo> Xi; of which is 
X. It is clear that information-theoretically, Alice does not know which solution 
is X- Thus Condition 1 of interactive hashing is satisfied. 

The following important lemma, regarding Condition 2 of interactive hashing, 
was proved in |E|. The same result in a non-adversarial setting, more precisely 
in the case that the Bob is honest, was proved in m- 
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Lemma 5. m Suppose Alice and Bob engage in interactive hashing of a t-bit 
string, Igt < k < t, by the NOVY protocol. Let T C {0, 1} be any subset with 
|T| < 2*“^. Then the probability that Bob can answer Alice’s queries in such a 
way that T contains both strings Xo^Xi received by Alice, is at most 



Corollary 4. Let Alice and Bob engage in interactive hashing of a t-bit string 
as above. Let Tq,Ti C {0,1}* be any two subsets with |To|)|Ti| < Then 

the probability that Bob can answer Alice’s queries in such a way that either 
Xo S To A xi G Ti, or Xo G Ti A Xi G is at most 

Proof. Let T = Tg U Ti in Lemma Q □ 

3 Protocol for 

Recall that in a (^)-OT, the sender Alice has two secret bits Mg, Mi € (0, 1}, 
and the receiver Bob has a secret bit S € (0, 1}. By definition, a (^)-OT protocol 
is correct and secure if the following three conditions are all satisfied: 

1. Bob receives Ms. 

2. Bob learns nothing about Mi 0 ^, except with a small probability v{k), where 
fc is a security parameter. 

3. Alice learns nothing about 5. 

3.1 Outline of Basic Ideas 

We first outline the basic ideas underling our protocol for (^)-OT. First, Alice 
chooses random A G [n], and Bob chooses random B G [n], with \A\ = \B\ = 

u = 2'/kn. Public random string a {0, 1}" is broadcast. Alice retains a[i] 
y i G A, and Bob retains a[j] 'i j G B. Alice then sends her subset A to Bob, 
and Bob computes AC\B. By the birthday paradox (Corollary 0), with very high 
probability, |AnS| > k. 

Fact 1 (Encoding of Subsets) fS] Each of the (^) k-element subsets of[u] = 
{1, . . . ,it| can be uniquely encoded as a Ig {^-bit string. See fSl for an efficient 
method of encoding and decoding. 

Next, Bob encodes a random fc-subset s G AC\B as &\g (^)-bit string, and 
sends s to Alice via the NOVY interactive hashing protocol. By the end of 
interactive hashing, Alice and Bob will have created two “keys”, a good key 
Sq = s, and a bad key Sb, each a fc-subset of A, such that: Bob knows Scia), 
but learns nothing about S'b(q!), and Alice knows both Scia) and S'b(q:), but 
does not know which key is good and which key is bad. 

Once the keys So and Sb are created, the rest of the protocol is trivial. If 
Bob wants to read Ms, then he simply asks Alice to encrypt Pis with the good 
key Sg, and My^s with the good key Sb, i-c. Bob ask Alice to send Pis © Sg{S) 
and Mi05 © Sb{S). The correctness and security of the protocol follow from the 
properties of 5 b and Sq described above. 
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3.2 The Protocol, and Main Results 

Notation: For a bit F S {0, 1}, denote Y = 1 © F. 

Definition 5. Let X = {xi, . . . ,Xu\ he an u-element set. For each subset J C 
[m], define Xj = {xi : i G J}. 



Notation: From now on, let u = 2^/kn. 



Our protocol for Protocol A, is described below. Protocol A uses 

two public random strings oo,ai {0, 1}". In each of Steps 2 and 3, Alice 
and Bob each store u = 2'/kn bits. In the interactive hashing of Step 4, Alice 
transmits and Bob stores t^ bits, where t = Ig (^) < fc • (Ig u — Ig fc/e). Since 
k « n, the storage requirement is dominated by 0{u) = 0{'/kn). 

Protocol A: 

1. Alice randomly chooses , -4^^’ = {Af\ . . . C 

[n],with = u. Bob also chooses random . . . , 

g(i) ^ c [n], with = u. 

2. The first public random string ag 4-^ {0, 1}" is broadcast. Alice stores the 
u bits ao[A™], . . . , ap[.42’'], and Bob stores aolB^'’], • ■ • , 

3. After a short pause, the second public random string ai 4-^ {0, 1}” is broad- 
cast. Alice stores ai[Ai '‘\^ . . . , ai[A^^'’\, and Bob stores . . . , afiB^^'']. 

4. Alice sends to Bob. Bob flips a coin c ^ — {0,1}, and computes 

. If I n I < k, then TZ aborts. Otherwise, Bob chooses a ran- 
dom A:-subset s = . . . ,-4-^^| C A^l n B^‘^\ and sets / = {i\, . . . , ik}- 

Thus by Definition El s = A^^'^ . 

5. Bob encodes I as a. t-bit string, where t = Ig (^), and sends I to Alice via 
the NOVY interactive hashing protocol in t — 1 rounds. Alice receives two 
fc-subsets Iq < Ii C [u]. For some b G (0, 1}, / = J&, but Alice does not know 
b. Bob also computes /o,/i by solving the same system of linear equations, 
and knows b. 

6. Bob sends e = 6 © c and r = J © c to Alice, where c and b are defined in 
Steps 4 and 5 respectively. 

7. Alice sets sg = Af^, Xg = so(ao), si = and Xi = si(ai). Alice then 
computes Cg = X^ ® Mg, and C\ = X^ © Mi, and sends Cp, Ci to Bob. 

8. Bob reads Ms = Cs® Xc = Cs © cic[A^if]- (Note that an honest Bob 

following the protocol has stored V 1 < j < fc. Recall from Step 4 

that V 1 < j < fc, A^^^ G s C B^'^^). 
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Remark: Each of as described in Protocol A, consists of 

u independently chosen elements of [n], resulting in ulgn bits each. However, 
as noted in we can reduce the number of bits for describing the sets to 
O(fclogn), by choosing the elements with 0{k)-w\se independence, without sig- 
nificantly affecting the results. 

Lemma 6. The probability that an honest receiver Bob aborts in Step 4 of the 
protocol, is at most 

Proof. By Corollary 0 Pr < k] < □ 

The following two lemmas about Protocol A are immediate. 

Lemma 7. The receiver Bob can read Mg simply by following the protocol. 



Lemma 8. The sender Alice learns nothing about S. 

Proof. Because Alice does not learn c (defined in Step 4) and b (defined in Step 
5) in Protocol A. □ 

Therefore, Conditions 1 and 2 for a correct and secure (^)-OT, are satisfied. 
We now come to the most challenging part, namely. Condition 3 regarding the 
security against a dishonest receiver Bob, who can store B = nf 6 bits, and whose 
goal is to learn both Mq and Mi. While oq is broadcast in Step 2, Bob computes 
an arbitrary function tjq = Ao(ao) using unlimited computing power, provided 
that |? 7 o| = n/6; and while ai is broadcast in Step 3, Bob computes an arbitrary 
function r]i = Ai(? 7 o,ai), |? 7 i| = n/6. In Steps 4-6, using ryi and A^°\A''^\ 
Bob employs an arbitrary strategy in interacting with Alice. At the end of the 
protocol. Bob attempts to learn both Mq and Mi, using his information rji on 
(oq, Oi), Co, Cl received from Alice in Step 7, and all information I he obtains 
in Steps 4-6. Thus in particular, I includes A^°\A^^~^ received from Alice in 
Step 4, and Iq,Ii obtained in Step 5. 

Theorem 1. For any Aq : {0, 1}” — > {0, 1}”/® and Ai : {0, 1}”/® x {0, 1}" — > 
{0, 1}"^®, for any strategy Bob employs in Steps / - 6 of Protocol A, with proba- 
bility at least 1 — 3 /3 G {0, 1} such that for any distinguisher 

V, 



Pr [P(t 7 i , X, X^, X0) = l]-Pv[V{r^i, X, XpA®Xp) = 1] 



< 2-'=/®, (8) 



where rji = Ai{r]o, ai) , rjQ = AQ^ao), X denotes all the information Bob obtains 
in Steps / - d, and Xq,Xi are defined in Step 1 of Protocol A. 

Theorem^says that using all the information he has in his bounded storage. 
Bob is not able to distinguish between (X^, A,g) and (X^, 1 © X^), for some 
(3 G {0, 1}, where Xq, Xi are defined in Step 7 of Protocol A. From Theorem P 
we obtain: 
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Theorem 2. For any Aq : {0, 1}” — > {0, 1}”/® and Ai : {0, 1}”/® x {0, 1}" — >■ 
{0, 1}"^®, for any strategy Boh employs in Steps 4 - 6 of Protoeol A, with proba- 
bility at least 1 — — 2~0 02 n+i^ 3 /3 G {0, 1} such that V Mq,Mi G {0, 1}, 

V 5 G {0, 1}, for any distinguisher T>, 



Pr [V{r]i,I,X-^®Ms,Xi 3 ®Mg) = 1] 



- Pr[D{r]i,I,X-^®Ms,Xf3®Mg) = 1 ] 



< 



2 ^ — kj3 



(9) 



where Xq,Xi, rji and I are as above. Therefore, the VIEW of Bob is essentially 
the same if Mg is replaced by Mj = 1 © Mg. Hence, in Protocol A, Bob learns 
essentially nothing about any non-trivial function or relation involving both Mq 
and Ml. 



Proof. It is clear that Q follows from (0 . Therefore, Theorem O follows from 
Theorem Q □ 

4 Proof of Theorem m 

In this section, we consider a dishonest receiver Bob, and prove Theorem H 
We first note that it suffices to prove the theorem in the case that Bob’s 
recording functions Aq,Ai are deterministic. This does not detract from the 
generality of our results for the following reason. By definition, a randomized 
algorithm is an algorithm that uses a random help-string r for computing its 
output. A randomized algorithm A with each fixed help-string r gives rise to a 
deterministic algorithm A’’. Therefore, that Theorem ^ holds for any determin- 
istic recording algorithm implies that for any randomized recording algorithm 
A, for each fixed help-string r, A using r cannot succeed. Hence, by an averag- 
ing argument, A using a randomly chosen r does not help. The reader might 
notice that the help-string r could be arbitrarily long since Bob has unlimited 
computing power. In particular, it could be that |r| > B, thereby giving rise to 
a deterministic recording algorithm with length |A’’| = |A| + |r| > B. But our 
model imposes no restriction on the program size of the recording algorithm. 
The only restriction is that the length of the output |A’'(a)| = B for each r. 
In the formal model, A is an unbounded non-uniform Turing Machine whose 
output tape is bounded by B bits. 

We prove a slightly stronger result, namely. Theorem ^ holds even if Bob 
stores not only 771, but also rjn, where rjo = Ao(ao) and 771 = Ai(?7o,ai), Aq,Ai 
are Bob’s recording functions, and ao,ai are the public random strings used in 
Steps 2 and 3 of Protocol A. Let 

Ho = Ao^(?7o) = {a G {0, !}"■ : Ao(a) = 770} ; 

Hi = {a G {0,1 }" : Ai( 77 o,o) = 771} . 

After 770 and 771 are computed in Steps 2 and 3 of Protocol A, the receiver Bob 
can compute Hq and Hi, using unlimited computing power and space. But given 
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rjo and r]i, all Bob knows about (ooj cei) is that it is uniformly random in Hq x Hi, 
i.e. each element of Hq x Hi is equally likely to be (ao, af) . 

Recall from Definition 0 that H C {0, 1}" is fat if \H\ > By Corollary 

^and a union bound, for ao, ai {0, 1}”, for any recording functions Aq, A\, 
Vi[Boih Ho snd Hi aie faf\ > 1 — (10) 

Thus, consider the case that both Ho and Hi are fat. By Lemmad for any fat 

Hc{o,ir, 

\Bh\ < |/C|-2-'=/3 = Q-2-'=/3, (11) 

where Bh is defined in i.e. almost all /c-subsets of [n] are good for H (See 
Definition 0 for the definition of goodness). Next, we show that if H is fat, then 
for a uniformly random A C [n\ s.t. |.4| = u, with overwhelming probability, 
almost all fc-subsets of A are good for H. 

Definition 6. For A C [n], define ICjs, = {s C .4 : |s| = k}, i.e. is the set 
of all k-suhsets of A. 

Definition 7. For A C [n] and H C {0, 1}", define 

■ s is not good for H} . 



Lemma 9. Let H C {0, 1}" he fat. For a uniformly random A C [n] with 
l-4| = u, 



Pr 








> 1 






In other words, for almost all A C [n] with |^| = u, almost all k-suhsets of A 
are good for any fat H . 

Proof. Let U be the set of all the (()) u-subsets of [n]. For each A G U, let 
Wa = is the number of fc-subsets of A that are had for H. Let 

W = Y^a&a^A- Since each fc-subset of [n] is contained in exactly (OZ^) u- 
subsets, in the sum W each bad /c-subset of [n] for H, i.e. every element of Bh 
(defined in (( 2 )), is counted exactly ("Z^) times. Together with we have 

agu ^ ^ ^ \ / 



Fact 2 For k < u < n, 

n\ L n — k\ / n\ L u\ 

k)\u-k) ^ U/W' 



( 13 ) 
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Therefore, by m and m, 



w 



J^Wa < 

A&A 




( 14 ) 



It follows that there can be at most a 2 fraction of w-subsets A such that 
I > (fe) • 2-'=/®, for otherwise we would have IT > (“) • 2"'=/® • (") • 2"'=/® = 
(«) (fe) ■ 2“^^^®, contradicting (ji 4j) . The lemma thus follows. □ 

Again let be the random u-subsets of [n] Alice chooses in Step 1 of 

Protocol A. By (f 1 1 )ll . LemmaEland a union bound, for ao, 0 !i {0,1}", and 
uniformly random A^°KA^^^ C M with = u, with probability at 

least 1 - 2 -'=/®+!- 2 -o o2n+i^ 



B 



^(0) 

Ho 



B 



^(1) 

Hi 



< 



i2 — kl6 



(15) 



Thus consider the case that both satisfy ill oil . 

For each c £ {0, 1}, denote . . . , Recall from Definition 

Othat for J = C [u], . . . , By Definition 0 



Aj ^ G JCj^ic) . Define 



rri d 

J-n — 



Ti A 



{JC M : |J| = fc A A™ 

{JC M : |J| = fc A A)}’ £5^;^’}. 



Clearly |To| = 



B 



,^( 0 ) 

Ho 



, and |Ti| = 



B 



,^(i) 

Hi 



. Thus by (IT^ . we have 



|To|,|Ti| < Q-2-"/®. (16) 

Consider Io,h defined in Step 5 of Protocol A. Let e be the first bit Bob sends 
Alice in Step 6 of Protocol A. Then by (El), II 1 0|l . II 1 611 . and Corollary E of 
Lemma 0 on interactive hashing, for any strategy Bob uses in Steps 4-6, with 
probability at least 1 — — 2 “® ® 2 n+i^ V Jg ^ Ti, where e = 1 © e. 

WLOG, say Ij ^ Ti. Let sq = Af^, Aq = so(ao), si = A^jl, and X\ = si(ai), 

as defined in Step 7 of Protocol A. Since 1^ ^ Ti, by definition si ^ ^ i.e. 

Si is good for Hi. Note again that given rjQ and rji, and thus Hq and Hi, all Bob 
knows about (ao,ai) is that (ao,ai) is uniformly random in Hq x Hi. Since si 

is good for iLi, by o for the definition of goodness, for ai Hi, 

|Pr [Ai = 0] - Pr [Ai = 1]| < 2"'=/®. (17) 

For (ooj OLi) Hq X Hi, Xq and Ai are independent. Thus together with 111 Yll . 
R 

for (aojCKi) ^ — Hq x Hi, for any 6 q £ (0, 1}, 

|Pr [Ai = 0 I Ao = 6o] - Pr [Ai = 1 | Aq = bo] \ < 2"'=/®. (18) 

Thus, from m and all the above. Theorem E follows (with /3 = 1). 
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5 Discussion 

Building on the work of Cachin, Crepeau, and Marcil we have given a 
similar but more efficient protocol for (^)-OT in the bounded storage model, 
and provided a stronger security analysis. 

Having proved a stronger result than that of we note that the model of 
is slightly stronger than ours in the following sense. In US!, the dishonest 
receiver Bob computes an arbitrary function on all public random bits, and 
stores B bits of output. In our model, ap is first broadcast. Bob computes and 
stores r]o = Ho(ao), which is a function of oq. Then oq disappears. After a short 
pause, a\ is broadcast, and Bob computes and stores rji = Ai(r]o, oi), which is a 
function of ryo and ai. However, we claim that our model is reasonable, as with 
limited storage, in practice it is impossible for Bob to compute a function on all 
of ao and «i, with |ao| = |o;i| > B, that are broadcast one after another, with 
a pause in between. Furthermore, we believe that by a more detailed analysis, it 
is possible to show that our results hold even in the stronger model, where Bob 
computes an arbitrary function A(ao, oi) on all bits of oq and a\. 

As the CCM Protocol, our protocol employs interactive hashing, resulting in 
an inordinate number of interactions. Further, the communication complexity of 
the NOVY protocol is quadratic in the size of the string to be transmitted. It 
thus remains a most important open problem to make this part of the protocol 
non-interactive and more communication efficient. 

Can the storage requirement of our protocol be further improved? For very 
large n, Q{\/kn) may not be small enough to be practical. It becomes another 
important open problem to investigate the feasibility of reducing the storage 
requirement for OT in the bounded storage model, and establish lower bounds. 

We also note that the constant hidden by O(-) in our results is not optimized. 
We believe that this can be improved by refining the analysis of Lemma 0 as 
well as the analysis of interactive hashing in uni 
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Appendix A: Proof of Lemma U 

Definition 8. Let s = {ai, . . . ,ak) € [n]^ . For a S {0,1}") define s(a) as in 
Definition^ i.e. s(a) = . 

Definition 9. Let s G [n]^. Let H C [n]. Define the goodness of s for H as in 
Definition]^ i.e. s is good for H if m holds. 

The following main lemma is proved in El- 

Main Lemma 1 ^3] Let H C {0, 1}". Denote 

Bh = {-s S [n]^ : s is not good for H] . (19) 

If H is fat, then 

\Bh\ < (20) 



We now prove Lemma Q from Main Lemma Q1 Let Bjj C Bh be the subset 
of bad /c-tuples with k distinct coordinates, i.e. 

Bh = \^s = {ai,. . . ,at) G Bh ■ tr* ^ ctj V * ^ j| . (21) 

Then clearly 

\Bh\ = \Bh\-M, (22) 

where Bh is defined in 0. By way of contradiction, suppose that LemmaEdoes 
not hold, i.e. 

\Bh\ > Q-2-'=/3. (23) 



Then by and dZSl) and the fact that Bh C Bh, we have 



> \Bh\ = \BH\-kl > 



■ kl ■ 2-'=/3. 



(24) 



Observe that 






for k < ^Jn. 



E k — 1 

n 



(25) 



Therefore, if Lemmaddoes not hold, i.e. if holds, then by (l'/!4l) and (El, 

\Bh\ > n'=-2-'=/3-\ (26) 

contradicting (PH. Thus, Lemma d must hold. 
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Abstract. In this paper we show that any two-party functionality can 
be securely computed in a constant number of rounds, where security is 
obtained against malicious adversaries that may arbitrarily deviate from 
the protocol specification. This is in contrast to Yao’s constant-round 
protocol that ensures security only in the face of semi-honest adversaries, 
and to its malicious adversary version that requires a polynomial number 
of rounds. 

In order to obtain our result, we present a constant-round protocol for 
secure coin-tossing of polynomially many coins (in parallel). We then 
show how this protocol can be used in conjunction with other existing 
constructions in order to obtain a constant-round protocol for securely 
computing any two-party functionality. On the subject of coin-tossing, 
we also present a constant-round perfect coin-tossing protocol, where by 
“perfect” we mean that the resulting coins are guaranteed to be statis- 
tically close to uniform (and not just pseudorandom). 



1 Introduction 

I. 1 Secure Two-Party Computation 

In the setting of two-party computation, two parties, with respective pri- 
vate inputs X and y, wish to jointly compute a functionality f{x,y) = 
y), f2{x, y)), such that the first party receives fi{x, y) and the second party 
receives f2{x, y). This functionality may be probabilistic, in which case f{x, y) is 
a random variable. Loosely speaking, the security requirements are that nothing 
is learned from the protocol other than the output {privacy), and that the out- 
put is distributed according to the prescribed functionality {correctness). The 
actual definition mm blends these two conditions (see Section I^- This must 
be guaranteed even when one of the parties is adversarial. Such an adversary 
may be semi-honest in which case it correctly follows the protocol specification, 
yet attempts to learn additional information by analyzing the transcript of mes- 
sages received during the execution. On the other hand, an adversary may be 
malicious, in which case it can arbitrarily deviate from the protocol specification. 

The first general solutions for the problem of secure computation were pre- 
sented by Yao HH for the two-party case (with security against semi-honest 
adversaries) and Goldreich, Micali and Wigderson for the multi-party case 
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(with security even against malicious adversaries). Thus, despite the stringent 
security requirements placed on such protocols, wide-ranging completeness re- 
sults were established, demonstrating that any probabilistic polynomial-time 
functionality can be securely computed (assuming the existence of trapdoor per- 
mutations). 

Yao’s protocol. In m Yao presented a constant-round protocol for securely 
computing any functionality, where the adversary may be semi-honest. Denote 
Party 1 and Party 2’s respective inputs by x and y and let / be the functionality 
that they wish to compute (for simplicity, assume that both parties wish to 
receive f{x,y)). Loosely speaking, Yao’s protocol works by having one of the 
parties (say Party 1) first generate an “encrypted” circuit computing f{x, •) and 
send it to Party 2. The circuit is such that it reveals nothing in its encrypted form 
and therefore Party 2 learns nothing from this stage. However, Party 2 can obtain 
the output f{x,y) by “decrypting” the circuit. In order to ensure that nothing 
is learned beyond the output itself, this decryption must be “partial” and must 
reveal f{x,y) only. Without going into unnecessary details, this is accomplished 
by Party 2 obtaining a series of keys corresponding to its input y such that given 
these keys and the circuit, the output value f{x, y) (and only this value) may be 
obtained. Of course. Party 2 must obtain these keys without revealing anything 
about y and this can be done by running |?/| instances of a (semi-honest) secure 
2-out-of-l Oblivious Transfer protocol | 7 ], which is constant-round. By running 
the Oblivious Transfer protocols in parallel, this protocol requires only a constant 
number of rounds. 

Now consider what happens if Yao’s protocol is run when the adversary may 
be malicious. Firstly, we have no guarantee that Party 1 constructed the circuit so 
that it correctly computes f{x, •). Thus, correctness may be violated (intuitively, 
this can be solved using zero-knowledge proofs) . Secondly, the Oblivious Transfer 
protocol must satisfy the requirements for secure computation (in the face of 
malicious adversaries), and must maintain its security when run in parallel. We 
note that we know of no such (highly secure) oblivious transfer protocol that runs 
in a constant number of rounds. Finally, if the functionality / is probabilistic, 
then Party 1 must be forced to input a truly random string into the circuit. 
Thus, some type of coin-tossing protocol is also required. 

Secure protocol compilation. As we have mentioned, Goldreich, Micali and 
Wigderson 1 1 2f I ,'-ij showed that assuming the existence of trapdoor permutations, 
there exist protocols for securely computing any multi-party functionality, where 
the adversary may be malicious. They achieve this in two stages. First, they show 
a protocol for securely computing any functionality in the semi-honest adversar- 
ial model. Next, they construct a protocol compiler that takes any semi-honest 
protocol and “converts” it into a protocol that is secure in the malicious model. 
As this compiler is generic, it can be applied to any semi-honest protocol and 
in particular, to the constant-round two-party protocol of Yao. However, due to 
the nature of their compilation, the output protocol is no longer constant-round. 
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1.2 Our Results 

The focus of this paper is to construct a protocol compiler such that the round- 
complexity of the compiled protocol is of the same order as that of the original 
protocol. We observe that the only component of the GMW compiler for which 
there does not exist a constant-round construction is that of coin-tossing in 
the well |3j. Therefore, our technical contribution is in constructing a constant- 
round protocol for coin-tossing in the well of polynomially many coins. That is, 
we obtain the following theorem (informally stated): 

Theorem 1 (constant-round coin-tossing): Assuming the existence of one-way 
functions, there exists a constant-round protoeol for the coin-tossing functionality 
(as required hy the GMW compiler). 

In order to construct such a constant-round protocol we introduce a technique 
relating to the use of commitment schemes, which we believe may be useful in 
other settings as well. Gommitment schemes are a basic building block and are 
used in the construction of many protocols. Gonsider, for example, Blum’s proto- 
col for coin-tossing a single bit [3|. In this protocol. Party 1 sends a commitment 
to a random-bit; then. Party 2 replies with its own random bit and finally Party 1 
decommits. The difficulty in simulating such protocols is that the simulator only 
knows the correct value to commit to after the other party sends its message. 
However, since the simulator is bound to its commitment, it must somehow guess 
the correct value before this message is sent. In case the messages are long (say 
n bits rather than a single bit or logn bits), this may be problematic. Thus, 
rather than decommitting, we propose to have the party reveal the committed 
value and then prove (in zero-knowledge) the validity of this revealed value. In 
a real execution, this is equivalent to decommitting, since the committing party 
is effectively bound to the committed value by the zero-knowledge proof. How- 
ever, the simulator is able to provide a simulated zero-knowledge proof (rather 
than a real one). Furthermore, this proof remains indistinguishable from a real 
proof even if the revealed value is incorrect (and thus the statement is false). 
Therefore, the simulator can effectively “decommit” to any value it wishes and 
is not bound in any way by the original commitment that it sends. 

Gombining the constant-round protocol of Theorem Q with other known con- 
structions, we obtain the following theorem: 

Theorem 2 Assume the existence of one-way functions. Then, there exists a 
protocol compiler that given a two-party protocol U for securely eomputing f in 
the semi-honest model produces a two-party protoeol II' that securely computes 
f in the malicious model, so that the number of rounds of eommunication in II' 
is within a constant factor of the number of rounds of eommunieation in II . 

We stress that, when ignoring the “round preservation” clause, the existence of 
a protocol compiler is not new and has been shown in mm (in fact, as we have 
mentioned, we use most of the components of their compiler) . Our contribution 
is in reducing the overhead of the compiler, in terms of the round-complexity, 
to a constant. The main result, stated in the following theorem, is obtained by 
applying the compiler of Theorem[3to the constant-round protocol of Yao. 
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Theorem 3 Assuming the existence of trapdoor permutations, any two-party 
functionality can be securely computed in the malicious model in a constant num- 
ber of rounds. 

On the subject of coin-tossing, we also present a constant-round protocol for 
“perfect” coin-tossing (of polynomially many coins) that guarantees that the 
output of the coin-tossing protocol is statistically close to uniform, and not just 
computationally indistinguishable. 



1.3 Related Work 

In the setting of multi-party computation with an honest majority, Beaver, Mi- 
cali and Rogaway |2| showed that any functionality can be securely computed 
in a constant number of rounds, where the adversary may be malicious. Unfor- 
tunately, their technique relies heavily on the fact that a majority of the parties 
are honest and as such cannot be applied to the case of two-party protocols. As 
we have described, in this paper we establish the analogous result for the setting 
of two-party computation. 



1.4 Organization 

In Section |3 we present the definition of secure two-party computation. Then, 
in Section 0 we discuss the protocol compiler of GMW and observe that in 
order to achieve “round-preserving” compilation, one needs only to construct a 
constant-round coin-tossing protocol. Our technical contribution in this paper 
thus begins in Section 0 where we present such a constant-round coin-tossing 
protocol. Finally, in Section 0 we show how perfect coin-tossing can be achieved. 

2 Definitions — Secnre Computation 

In this section we present the definition of secure two-party computation. Our 
presentation is based on 0, which in turn follows imini. We first introduce the 
following notation: [/„ denotes the uniform distribution over {0, 1}"; for a set 
S we denote s S when s is chosen uniformly from S; finally, computational 
indistinguishability is denoted by = and statistical closeness by =. 

Two-party computation. A two-party protocol problem is cast by specifying a 
random process that maps pairs of inputs to pairs of outputs (one for each party) . 
We refer to such a process as a functionality and denote it / : {0, 1}* x {0, 1}* — )> 
{0,1}* X {0,1}*, where / = (/i,/ 2 )- That is, for every pair of inputs (x,y), 
the output-pair is a random variable {f\{x,y), f 2 {x,y)) ranging over pairs of 
strings. The first party (with input x) wishes to obtain fi{x,y) and the second 
party (with input y) wishes to obtain f 2 {x, y). We often denote such a function- 
ality by {x,y) !->■ (fi{x,y), f 2 {x,y)). Thus, for example, the basic coin-tossing 
functionality is denoted by (1", 1”) >->■ ([/„, C/„). 
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Adversarial behavior. Loosely speaking, the aim of a secure two-party proto- 
col is to protect an honest party against dishonest behavior by the other party. 
This “dishonest behavior” can manifest itself in a number of ways; in partic- 
ular, we focus on what are known as semi-honest and malicious adversaries. 
A semi-honest adversary follows the prescribed protocol, yet attempts to learn 
more information than “allowed” from the execution. Specifically, the adver- 
sary may record the entire message transcript of the execution and attempt to 
learn something beyond the protocol output. On the other hand, a malicious 
adversary may arbitrarily deviate from the specified protocol. When consider- 
ing malicious adversaries, there are certain undesirable actions that cannot be 
prevented. Specifically, a party may refuse to participate in the protocol, may 
substitute its local input (and enter with a different input) and may abort the 
protocol prematurely. 

Security of protocols (informal). The security of a protocol is analyzed by com- 
paring what an adversary can do in the protocol to what it can do in an ideal 
scenario that is secure by definition. This is formalized by considering an ideal 
computation involving an incorruptible trusted third party to whom the parties 
send their inputs. The trusted party computes the functionality on the inputs 
and returns to each party its respective output. Loosely speaking, a protocol is 
secure if any adversary interacting in the real protocol (where no trusted third 
party exists) can do no more harm than if it was involved in the above-described 
ideal computation. 

Execution in the ideal model. The ideal model differs for semi-honest and ma- 
licious parties. First, for semi-honest parties, an ideal execution involves each 
party sending their respective input to the trusted party and receiving back 
their prescribed output. An honest party then outputs this output, whereas a 
semi-honest party may output an arbitrary (probabilistic polynomial-time com- 
putable) function of its initial input and the message it obtained from the trusted 
party. (See 0 for a formal definition of the ideal and real models for the case of 
semi-honest adversaries.) 

We now turn to the ideal model for malicious parties. Since some malicious 
behavior cannot be prevented (for example, early aborting) , the definition of the 
ideal model in this case is somewhat more involved. An ideal execution proceeds 
as follows: 

Inputs: Each party obtains an input, denoted z. 

Send inputs to trusted party: An honest party always sends z to the trusted 
party. A malicious party may, depending on z, either abort or sends some 
z' G {0, to the trusted party. 

Trusted party answers first party: In case it has obtained an input pair, 
(x,y), the trusted party (for computing /), first replies to the first party 
with fi(x,y). Otherwise (i.e., in case it receives only one input), the trusted 
party replies to both parties with a special symbol, T. 

Trusted party answers second party: In case the first party is malicious it 
may, depending on its input and the trusted party’s answer, decide to stop 
the trusted party. In this case the trusted party sends T to the second party. 
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Otherwise (i.e., if not stopped), the trusted party sends f 2 {x, y) to the second 
party. 

Outputs: An honest party always outputs the message it has obtained from 
the trusted party. A malicious party may output an arbitrary (probabilistic 
polynomial-time computable) function of its initial input and the message 
obtained from the trusted party. 

Let / : {0, 1}* X {0, 1}* !->■ {0, 1}* x {0, 1}* be a functionality, where / = (/i, / 2 ), 
and let M = (Mi, M 2 ) be a pair of families of non-uniform probabilistic expected 
polynomial-time machines (representing parties in the ideal model). Such a pair 
is admissible if for at least one i G {1,2} we have that Mi is honest. Then, the 
joint execution of / under M in the ideal model (on input pair (x,y)), denoted 
\dea\^-^{x,y), is defined as the output pair of Mi and M 2 from the above ideal 
execution. For example, in the case that Mi is malicious and always aborts at 
the outset, the joint execution is defined as (Mi(a;, _L), _L). Whereas, in case Mi 
never aborts, the joint execution is defined as {Mi{x, fi{x' ,y)), f 2 {x' ,y)) where 
x' = Mi{x) is the input that Mi gives to the trusted party. 

Execution in the real model. We next consider the real model in which a real 
(two-party) protocol is executed (and there exists no trusted third party). In 
this case, a malicious party may follow an arbitrary feasible strategy; that is, 
any strategy implementable by non-uniform expected polynomial-time machines. 
In particular, the malicious party may abort the execution at any point in time 
(and when this happens prematurely, the other party is left with no output). 

Let / be as above and let 77 be a two-party protocol for computing /. Fur- 
thermore, let M = (Ml, M 2 ) be a pair of families of non-uniform probabilistic 
expected polynomial-time machines (representing parties in the real model). Such 
a pair is admissible if for at least one i G {1,2} we have that Mi is honest (i.e., 
follows the strategy specified by 77). Then, the joint execution of 77 under M 
in the real model (on input pair (x,y)), denoted real^ ^(a;, y), is defined as the 
output pair of Mi and M 2 resulting from the protocol interaction. 

Security as emulation of a real execution in the ideal model. Having defined the 
ideal and real models, we can now define security of protocols. Loosely speaking, 
the definition asserts that a secure two-party protocol (in the real model) em- 
ulates the ideal model (in which a trusted party exists). This is formulated by 
saying that admissible pairs in the ideal model are able to simulate admissible 
pairs in an execution of a secure real-model protocol. 

Definition 4 (security in the malicious model): Let f and 77 be as above. Pro- 
tocol 77 is said to securely compute / (in the malicious model) if there exists 
a probabilistic polynomial-time computable transformation of pairs of admis- 
sible families of non-uniform probabilistic expected polynomial-time machines 
A = (Ai, A 2 ) for the real model into pairs of admissible families of non-uniform 
probabilistic expected polynomial-time machines B = {B\, B 2 ) for the ideal model 
such that 



{ideal^;g(a;,2/)}^ ,^s,t, \x\=\y\ = \x\=\y\ 
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Remark: The above definition is different from the standard definition in that 
the adversary (in both the ideal and real models) is allowed to run in ex- 
pected polynomial-time (rather than strict polynomial-time). This seems to be 
inevitable given that currently known constant-round zero-knowledge proofs re- 
quire expected polynomial-time simulation. We stress that an honest party always 
runs in strict polynomial time. 

3 Two-Party Computation Secure Against Malicious 
Adversaries 

3.1 The Compiler of Goldreich, Micali, and Wigderson jl3i 

Goldreich, Micali and Wigderson m showed that assuming the existence of 
trapdoor permutations, there are secure protocols (in the malicious model) for 
any multi-party functionality. Their methodology works by first presenting a 
protocol secure against semi-honest adversaries. Next, a compiler is applied that 
transforms any protocol secure against semi-honest adversaries into a protocol 
secure against malicious adversaries. Thus, their compiler can also be applied to 
the constant-round two-party protocol of Yao El ( as it is secure against semi- 
honest adversaries). However, as we shall see, the output protocol itself is not 
constant-round. In this section, we describe the IE| compiler and show what 
should be modified in order to obtain a constant-round compiler instead. 

Enforcing semi-honest behavior. The GMW compiler takes for input a protocol 
secure against semi-honest adversaries; from here on we refer to this as the “basic 
protocol” . Recall that this protocol is secure in the case that each party follows 
the protocol specification exactly, using its input and uniformly chosen random 
tape. Thus, in order to obtain a protocol secure against malicious adversaries, we 
need to enforce potentially malicious parties to behave in a semi-honest manner. 
First and foremost, this involves forcing the parties to follow the prescribed 
protocol. However, this only makes sense relative to a given input and random 
tape. Furthermore, a malicious party must be forced into using a uniformly 
chosen random tape. This is because the security of the basic protocol may 
depend on the fact that the party has no freedom in setting its own randomness. 

An informal description of the GMW compiler. In light of the above discussion, 
the compiler begins by having each party commit to its input. Next, the par- 
ties run a coin-tossing protocol in order to fix their random tapes (clearly, this 
protocol must be secure against malicious adversaries). A regular coin-tossing 
protocol in which both parties receive the same uniformly distributed string 
does not help us here. This is because the parties’ random tapes must remain 
secret. This is solved by augmenting the coin-tossing protocol so that one party 
receives a uniformly distributed string (to be used as its random tape) and the 
other party receives a commitment to that string. Now, following these two 
steps, each party holds its own uniformly distributed random-tape and a com- 
mitment to the other party’s input and random-tape. Therefore, each party can 
be “forced” into working consistently with this specific input and random-tape. 



178 



Y. Lindell 



We now describe how this behavior is enforced. A protocol specification is a 
deterministic function of a party’s view consisting of its input, random tape and 
messages received so far. As we have seen, each party holds a commitment to the 
input and random tape of the other party. Furthermore, the messages sent so far 
are public. Therefore, the assertion that a new message is computed according 
to the protocol is of the NV type (and the party sending the message knows an 
adequate AfP- witness to it). Thus, the parties can use zero-knowledge proofs to 
show that their steps are indeed according to the protocol specification. As the 
proofs used are zero-knowledge, they reveal nothing. On the other hand, due to 
the soundness of the proofs, even a malicious adversary cannot deviate from the 
protocol specification without being detected. We thus obtain a reduction of the 
security in the malicious case to the given security of the basic protocol against 
semi-honest adversaries. 

In summary, the components of the compiler are as follows (from here on “secure” 
refers to security against malicious adversaries): 

1. Input Commitment: In this phase the parties execute a secure protocol 
for the following functionality: 

((x,r),l") (A,C'(a;;r)) 

where x is the party’s input string (and r is the randomness chosen by the 
committing party). 

A secure protocol for this functionality involves the committing party sending 
C{x] r) to the other party followed by a zero-knowledge proof of knowledge of 
{x,r). Note that this functionality ensures that the committing party knows 
the value being committed to. 

2. Coin Generation: The parties generate t-bit long random tapes (and cor- 
responding commitments) by executing a secure protocol in which one party 
receives a commitment to a uniform string of length t and the other party 
receives the string itself (to be used as its random tape) and the decommit- 
ment (to be used later for proving “proper behavior”). That is, the parties 
compute the functionality: 

(l”,r) ^ {{Ut,Ut.n),C{Ut;Ut.n)) 

(where we assume that to commit to a t-bit string, C requires t ■ n random 
bits). 

3. Protocol Emulation: In this phase, the parties run the basic protocol 
whilst proving (in zero-knowledge) that their steps are consistent with their 
input string, random tape and prior messages received. 

A detailed description of each phase of the compiler and a full proof that the 
resulting protocol is indeed secure against malicious adversaries can be found 

in 0. 

3.2 Achieving Round-Preserving Compilation 

As we have mentioned, our aim in this work is to show that the GMW compiler 
can be implemented so that the number of rounds in the resulting compiled 
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protocol is within a constant factor of the number of rounds in the original semi- 
honest protocol. We begin by noting that using currently known constructions, 
Phases 1 and 3 of the GMW compiler can be implemented in a constant number 
of rounds. That is, 

Proposition 5 Assuming the existence of one-way functions, both the input- 
commitment and protocol-emulation phases can be securely implemented in a 

constant number of rounds. 

First consider the input-commitment phase. As mentioned above, this phase can 
be securely implemented by having the committing party send a perfectly bind- 
ing commitment of its input to the other party, followed by a zero-knowledge 
proof of knowledge of the committed value. Both constant-round commitment 
schemes and constant-round zero-knowledge arguments of knowledge are known 
to exist by the works of Naor m and Feige and Shamir 0, respectively (these 
constructions can also be based on any one-way function). Thus the input- 
commitment phase can be implemented as required for Proposition Efl Next, 
we recall that a secure implementation of the protocol emulation phase requires 
zero-knowledge proofs for J\fV only. Thus, once again, using the argument sys- 
tem of |S|, this can be implemented in a constant number of rounds (using any 
one-way function). 

Constant-round coin tossing. In contrast to the input-commitment and protocol- 
emulation phases of the GMW compiler, known protocols for tossing polynomi- 
ally many coins do not run in a constant number of rounds. Rather, single coins 
are tossed sequentially (and thus polyfn) rounds are needed). In particular, the 
proof of m does not extend to the case that many coins are tossed in parallel. 
Thus, in order to obtain a round-preserving compiler, it remains to present a 
secure protocol for the coin-generation functionality that works in a constant 
number of rounds. Furthermore, it is preferable to base this protocol on the ex- 
istence of one-way functions only (so that this seemingly minimal assumption is 
all that is needed for the entire compiler). In the next section we present such a 
coin-tossing protocol, thereby obtaining Theorem (as stated in the introduc- 
tion). 



3.3 Constant-Round Secure Computation 

Recall that by Yao m, assuming the existence of trapdoor permutations, any 
two-party functionality can be securely computed in the semi-honest model in 
a constant-number of rounds. Thus, applying the constant-round compiler of 
TheoremOto Yao’s protocol, we obtain a constant-round protocol that is secure 

^ We note that the protocol for the commit- functionality, as described in [2|, is for a 
single-bit only (and thus the compiler there runs this protocol sequentially for each 
bit of the input). However, the proof for the commit- functionality remains almost 
identical when the functionality is extended to commitments of poly{n)-hit strings 
(rather than for just a single-bit). 
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in the malicious model, and prove Theorem|3 That is, assuming the existence of 
trapdoor permutations, any two-party functionality can be securely computed 
in the malicious model in a constant-number of rounds. 



4 The Augmented Coin- Tossing Protocol 

4.1 The Augmented Coin- Tossing Functionality 

In this section we present our coin-tossing protocol, thus proving Theorem [D In 
a basic coin-tossing functionality, both parties receive identical uniformly dis- 
tributed strings. That is, the functionality is defined as: (1", 1") i— >■ (C4n, Um) for 
some m = poly{n). This basic coin-tossing is augmented as follows. Let F be any 
deterministic function. Then, define the augmented coin-tossing functionality by: 

That is, the first party indeed receives a uniformly distributed string. However, 
the second party receives F applied to that string (rather than the string itself) . 
Setting F to the identity function, we obtain basic coin-tossing. However, recall 
that the coin-generation component of the GMW compiler requires the following 
functionality: 

(r,r) ^ {{Ut,Ut.^),c{Ut;Ut.r,)) 

where C is a commitment scheme (and we assume that C requires n random 
bits for every bit committed to). Then, this functionality can be realized with 
our augmentation by setting m = t -\- t ■ n and F{Um) = C(Ut;Ut.n)- Thus, 
the second party receives a commitment to a uniformly distributed string of 
length t and the first party receives the string and its decommitment. Recall 
that in the compiler, the party uses the t-bit string as its random tape and the 
decommitment in order to prove in zero-knowledge that it is acting consistently 
with this random tape (and its input). 



4.2 Motivating Discussion 

In order to motivate our construction of a constant-round coin-tossing protocol, 
we consider the special case of basic coin-tossing (i.e., where F is the identity 
function). A natural attempt at a coin-tossing protocol follows: 

Protocol 1 (Attempt at Basic Coin- Tossing): 

1. Party 1 chooses a random string si {0, 1}™ and sends c = Commit(si) = 
C'(si;r) (where r is randomly chosen). 

2. Party 2 chooses a random string S 2 €r {O,!}™ and sends it to Party 1. 

3. Party 1 decommits to si sending the pair (si,r). 

d©f 

Party 1 always outputs s = si©S 2 , whereas Party 2 outputs si©S 2 if Party I’s 
decommitment is correct and T otherwise. 
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We note that when m = 1 (i.e., a single bit), the above protocol is the basic coin- 
tossing protocol of Blum P] (a formal proof of the security of this protocol can 
be found in j^). However, here we are interested in a parallelized version where 
the parties attempt to simultaneously generate an m-bit random string (for any 
m = poly{n)). Intuitively, due to the secrecy of the commitment scheme, the 
string S 2 chosen by (a possibly malicious) Party 2 cannot be dependent on the 
value of si- Thus if si is chosen uniformly, the resulting string s = si ©S 2 is close 
to uniform. On the other hand, consider the case that Party 1 may be malicious. 
Then, by the protocol. Party 1 is committed to si before Party 2 sends S 2 . Thus, 
if S 2 is chosen uniformly, the string s = si ©S 2 is uniformly distributed. We note 
that due to the binding property of the commitment scheme. Party 1 cannot 
alter the initial string committed to. We conclude that neither party is able to 
bias the output string. 

However, the infeasibility of either side to bias the resulting string is not 
enough to show that the protocol is secure. This is because the definition of 
secure computation requires that the protocol simulate an ideal execution in 
which a trusted third party chooses a random string s and gives it to both 
parties. Loosely speaking, this means that there exists a simulator that works 
in the ideal model and simulates an execution with a (possibly malicious) party 
such that the joint output distribution (in this ideal scenario) is indistinguishable 
from when the parties execute the real protocol. 

Protocol n seems not to fulfill this more stringent requirement. That is, our 
problem in proving the security of Protocol ^ is with constructing the required 
simulator. The main problem that occurs is regarding the simulation of Party 2. 

Simulating a malicious Party 2: The simulator receives a uniformly distributed 
string s and must generate an execution consistent with s. That is, the commit- 
ment c = ^(si) given by the simulator to Party 2 must be such that si © S 2 = s 
(where S 2 is the string sent by Party 2 in Step 2 of the protocol). However, 
Si is chosen and fixed (via a perfectly binding commitment) before S 2 is cho- 
sen by Party 2. Since the commitment is perfectly binding, even an all-powerful 
simulator cannot “cheat” and decommit to a different value. This problem is 
compounded by the fact that Party 2 may choose S 2 based on the commit- 
ment received to si (by say invoking a pseudorandom function on c). Therefore, 
rewinding Party 2 and setting si to equal s © S 2 will not help (as S 2 will change 
and thus once again si © S 2 will equal s with only negligible probability). We 
note that this problem does not arise in the single-bit case as there are only two 
possible values for S 2 and thus the simulator succeeds with probability 1/2 each 
time. 

A problem relating to abort: The above problem arises even when the parties 
never abort. However, another problem in simulation arises due to the ability 
of the parties to abort. In particular, simulation of Party 1 in Protocol Q] is 
easy assuming that Party 1 never aborts. On the other hand, when Party I’s 
abort probability is unknown (and specifically when it is neither negligible nor 
noticeable), we do not know how to construct a simulator that does not skew the 
real probability of abort in the simulated execution. Once again, this problem 
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is considerably easier in the single-bit case since Party I’s decision of whether 
or not to abort is based on only a single bit sent by Party 2 in Step 2 of the 
protocol (and so there are only three possible probabilities) . 

We note that basic coin-tossing is a special case of the augmented coin-tossing 
functionality. Thus, the same problems (and possibly others) must be solved 
in order to obtain an augmented coin-tossing protocol. As we will show, our 
solutions for these problems are enough for the augmented case as well. 

Evidence that Protocol 0 is not secure: One may claim that the above 3-round 
protocol may actually be secure and that the above-described difficulties are due 
to our proof technique. However, it can be shown that if there exists a secure 3- 
round protocol for coin-tossing (where the simulation uses black-box access to the 
malicious party), then there exist 3-round black-box zero-knowledge arguments 
for MV. By this would imply that MV C BW. We note that all known 
simulations of secure protocols are indeed black-box. 



4.3 The Actual Protocol 

Before presenting the protocol itself, we discuss how we solve the problems de- 
scribed in the above motivating discussion. 

• Party 1 is malicious: As described, when Party 1 is malicious, the problem 
that arises is that of aborting. In particular. Party 1 may decide to abort 
depending on the string S 2 sent to it by Party 2. This causes a problem in 
ensuring that the probability of abort in the simulation is negligibly close 
to that in a real execution. This is solved by having Party 1 send a proof 
of knowledge of si after sending the commitment. Then, the simulator can 
extract si from the proof of knowledge and can send S 2 = si © s (where 
s is the string chosen by the trusted party) without waiting for Party 1 to 
decommit in a later step. 

• Party 2 is malicious: As described, the central problem here is that Party 1 
must commit itself to si before S 2 is known (yet si © S 2 must equal s). 
This cannot be solved by rewinding because Party 2 may choose S 2 based on 
the commitment to si that it receives (and thus changing the commitment 
changes the value of S 2 ). We solve this problem by not having Party 1 de- 
commit at all; rather, it sends s = si © S 2 (or F{si © S 2 ) in the augmented 
case) and proves in zero-knowledge that the value sent is consistent with its 
commitment and S 2 - Thus, the simulator (who can generate proofs to false 
statements of this type) is able to “cheat” and send s (or F{s)) irrespective 
of the real value committed to in Step 10 

This technique of not decommitting, but rather revealing the committed 
value and proving (in zero-knowledge) that this value is correct, is central to 

^ In general, nothing can be said about a simulated proof of a false statement. How- 
ever, in the specific case of statements regarding commitment values, proofs of false 
statements are indistinguishable from proofs of valid statements. This is due to the 
hiding property of the commitment scheme. 



Parallel Coin- Tossing and Constant-Round Secure Two-Party Computation 183 



our simulation strategy. Specifically, it enables us to “decommit” to a value 
that is unknown at the time of the commitment. (As we have mentioned, 
in order for the simulation to succeed. Party 2 must be convinced that the 
commitment of Step 1 is to Si, where Si © S 2 = s. However, the correct value 
of Si is only known to the simulator after Step 2.) 

We now present our constant-round protocol for the augmented secure coin- 
tossing functionality: (1", I”) >->■ {Um,F{Um)), for m = poly(n). For the sake of 
simplicity, our presentation uses a non-interactive commitment scheme (which is 
easily constructed given any 1-1 one-way function). However, the protocol can 
easily be modified so that an interactive commitment scheme is used instead (in 
particular, the two-round scheme of Naor HSI). 

Protocol 2 (Augmented Parallel Coin- Tossing) : 

1. Party 1 chooses si Gr {0,1}"* and sends c = C{si;r) for a random r to 
Party 2 (using a perfectly binding commitment scheme). 

2. Party 1 proves knowledge of (si,r) with a (constant round) zero-knowledge 
argument of knowledge with negligible error. If the proof fails, then Party 2 
aborts with output _L. 

3. Party 2 chooses S 2 Gr {0, 1}"* and sends S 2 to Party 1. 

4-. If until this point Party 1 received an invalid message from Party 2, then 
Party 1 aborts, outputting _L. 

Otherwise, Party 1 sends y = F{s\ © 52 )- 

5. Party 1 proves to Party 2 using a (constant round) zero-knowledge argument 
that there exists a pair {s\,r) such that c = C{si;r) and y = F{s\® S 2 ) (that 
is. Party 1 proves that y is consistent with c and S2)E If the proof fails, then 
Party 2 aborts with output _L. 

6. Output: 

• Party 1 outputs si © S 2 ( even if Party 2 fails to correctly complete the 
verification of the proof in Step 5). 

• Party 2 outputs y. 



Round complexity: Using the constant-round zero-knowledge argument system 
of Feige and Shamir 0 and the constant-round commitment scheme of Naor 
Protocol 0 requires a constant number of rounds only. We note that the proof 
system of 0 is also a proof of knowledge. 

^ It may appear that the reason that Party 1 does not decommit to c is due to the fact 
that Party 2 should only learn F{s), and not s itself (if Party 1 decommits, then s 
is clearly revealed). Following this line of thinking, if F was the identity function, 
then Steps 4 and 5 could be replaced by Party 1 sending the actual decommitment. 
However, we stress that we do not know how to prove the security of such a modified 
protocol. The fact that Party 1 does not decommit, even when F is the identity 
function, is crucial to our proof of security. 
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Sufficient assumptions: All the components of Protocol |3 can be implemented 
using any one-way function. In particular the string commitment of Naor Pg can 
be used (this requires an additional pre-step in which Party 2 sends a random 
string to Party 1; however this step is of no consequence to the proof). Fur- 
thermore, the zero-knowledge argument of knowledge of 0 can be used in both 
Steps 2 and 5. Since both the m and jS| protocols only assume the existence 
of one-way functions, this is the only assumption required for the protocol. 

Theorem 6 Assuming the existence of one-way functions, Protocol^is a secure 
protocol for augmented parallel coin-tossing. 

Proof: We need to show how to efficiently transform any admissible pair of 

machines (^ 1 ,^ 2 ) for the real model into an admissible pair of machines (i?i, B2) 
for the ideal model. We denote the trusted third party by T, the coin-tossing 
functionality by / and Protocol El by U. We first consider the case that Ai is 
adversarial. 

Lemma 7 Let (^1,^2) be an admissible pair of probabilistic expected 
polynomial-time machines for the real model in which A2 is honest. Then, there 
exists an efficient transformation of {Ai, A2) into an admissible pair of prob- 
abilistic expected polynomial-time machines {B\,B2) for the ideal model such 
that 

{ideal^;g(l”, ^ {real^2(l", 

Proof Sketch: In this case the second party is honest and thus B2 is deter- 
mined. We now briefly describe the transformation of the real-model adversary 
Ai into an ideal-model adversary B\. Machine Bi emulates an execution of Ai 
with A 2 by playing the role of (an honest party) A 2 in most of the execution. (In 
particular, Bi verifies the zero-knowledge proofs provided by Ai and “checks” 
that Ai is not cheating.) However, instead of randomly choosing the string S2 
in Step 3 (as A 2 would), machine Bi first obtains the value Si (committed to 
by Ai) by running the extractor for the proof of knowledge of Step 2. Then, Bi 
sets S 2 = Si © s where s is the output provided by the trusted third party. 

It is easy to see that if Ai follows the instructions of Protocol 0 then the 
output distributions in the ideal and real models are identical. This is because 
Ai’s view in the ideal-model emulation with B\ is identical to that of a real 
execution with A 2 . Furthermore, since si © S 2 = s, the result of the execution is 
consistent with the outputs chosen by the trusted third party. However, Ai may 
not follow the instructions of the protocol and nevertheless we must show that 
the real and ideal output distributions remain computationally indistinguishable 
(in fact, they are even statistically close). This can be seen by noticing that 
differences between the ideal and real executions can occur only if the extraction 
fails even though Ai succeeded in proving the proof of Step 2, or if A 1 successfully 
cheats in the zero-knowledge proof of Step 5. Since both of these events occur 
with at most negligible probability, we have that the distributions are statistically 
close. I 

We now consider the case that A2 is adversarial. 
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Lemma 8 Let (^1,^2) be an admissible pair of probabilistic expected 
polynomial-time machines for the real model in which Ai is honest. Then, there 
exists an efficient transformation of {Ai, A2) into an admissible pair of prob- 
abilistic expected polynomial-time machines for the ideal model such 

that 

{ideal y l”)}nSN = l”)}nSN 



Proof Sketch: In this case the first party is honest and thus Bi is determined. 
We now transform the real-model adversary A2 into an ideal-model adversary 
i?2, where the transformation is such that B2 uses black-box access to A2. Specif- 
ically, B2 chooses a uniform random tape, denoted R, for A2 and invokes A2 on 
input 1" and random tape R. Once the input and random tape are fixed, A2 is 
a deterministic function of messages received during a protocol execution. Thus 
^2(1”, R,m) denotes the message sent by A2 with input 1", random-tape R and 
sequence m of incoming messages to A2- 

The transformation works by having B2 emulate an execution of A2, while 
playing Ai’s role. Machine B2 does this when interacting with the trusted third 
party T and its aim is to obtain an execution with A2 that is consistent with the 
output received from T. Therefore, B2 has both external communication with T 
and “internal”, emulated communication with A2- Machine B2 works as follows: 

1. The ideal adversary B2 chooses a uniformly distributed random tape R for 
the real adversary A2, invokes A2(l",i?) and (internally) passes to A2 the 
commitment c = C'(0'";r) for a random r (recall that in a real execution, 
A2 expects to receive C'(si;r) for a random si). 

2. B2 invokes the simulator for the zero-knowledge argument of knowledge of 
the decommitment of c, using ^2(1”, i?,c) as the verifier. (That is, this is a 
simulation of the proof of knowledge that is supposed to prove to A2 in 
a real execution.) 

3. B2 obtains S2 from A2. (Recall that this is formally stated by having B2 
compute the function ^2(1”) R, c,tpok), where tpok is the resulting transcript 
from the zero-knowledge proof of knowledge simulation) . 

If at any point until here A2 sent an invalid message, then B2 aborts and 
outputs R2(1”,R, C,tpok)- 

4. The ideal adversary B2 sends 1” to the (external) trusted third party T and 
receives the output F{s). 

Next, B2 (internally) passes to A2 the string y = F{s). 

5. B2 invokes the simulator for the zero-knowledge proof of Step 5 of the Pro- 
tocol with the verifier role being played by A2{l^,R,c,tpok,y)- Denote the 
transcript from the simulation of the zero-knowledge proof by tpf . 

6. B2 outputs A 2 { 1 '^, R,c, tpok, y, tpf). 

We need to show that 

jideal^;g(l”, l”)}„eN |real^^(l", l”)}„eN 

The following differences are evident between the ideal and real executions: 
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• The commitment received by A2 (in the internal emulation by B2) is to 0 ”^, 
rather than to a random string consistent with y = F{s) and S2 (as is the case 
in a real execution). However, by the indistinguishability of commitments, 
this should not make a difference. 

• In the internal emulation by B2, the zero-knowledge proofs are simulated 
and not real proofs. However, by the indistinguishability of simulated proofs, 
this should also not make a difference. As mentioned above, this holds even 
though the statement “proved” by B2 in Step 5 is false with overwhelming 
probability. 

The natural way to proceed at this point would be to define a hybrid experiment 
in which the commitment given by B2 to A2 is to si and yet the zero-knowledge 
proofs are simulated. (In this hybrid experiment, si must be such that y = 
^■(51 ©S2).) However, such a hybrid experiment is problematic because the value 
of Si that is consistent with both y (from T) and S2 is unknown at the point that 
i?2 generates the commitment. We must therefore bypass this problem before 
defining the hybrid experiment. We do this by defining the following mental 
experiment with a modified party B'2 (replacing Step 4 only of B2 above): 

4 '. B'2 chooses si Gr { 0 , 1 }™ (independently of what it has previously seen) and 
computes y = F(si © S2) (rather than obtaining y = F{s) from T). 

Next, B'2 (internally) passes A2 the string y. 

Notice that B'2 does not interact with any trusted third party at all. Rather, 
it chooses a uniformly distributed s, and computes F{s) itself (observe that 
choosing si uniformly and setting s = Si©S2 is equivalent to uniformly choosing 
s). We stress that B'2 does not work in the ideal model, but is rather a mental 
experiment. Despite this, since B'2 chooses si independently of what it has seen, 
the distribution generated by B'2 is identical to that of the ideal model (where s 
is chosen by the trusted party). 

Next, notice that if we move the step in which si is chosen to before the 
first step of B'2, then this makes no difference to the output distribution. Having 
done this, it is possible for B'2 to send a commitment to si rather than to 0 ™. 
Thus, the above-described hybrid experiment can be defined. That is, we define a 
hybrid setting (with a party B'^) in which B'^ initially sends a commitment to si 
(rather than to 0 ™). Thus, in terms of the commitment, the hybrid experiment 
is identical to a real execution (and different to the mental experiment and ideal 
model) . On the other hand, the zero-knowledge proofs in the hybrid experiment 
are simulated (as in the mental experiment), rather than being actual proofs 
(as in the real model). Then, the indistinguishability of the mental experiment 
from the real model is demonstrated by first showing the indistinguishability of 
the the hybrid and mental experiments (where the only difference is regarding 
the initial commitment) and then showing the indistinguishability of the hybrid 
and real executions (where the only difference is regarding the simulated zero- 
knowledge proofs). Since the output of an ideal-model execution is identically 
distributed to the output from the mental experiment, this completes the proof. 
■ 

This completes the proof of Theorem El | 
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4.4 Comparing Protocol to the Protocol of j^j 

The protocol for augmented coin-tossing presented by Goldreich |0| is for tossing 
a single bit only (i.e., where m = 1). Thus, in order to toss polynomially many 
coins, Goldreich suggests running the single-bit protocol many times sequentially. 
However, the only difference between Protocol 0 and the protocol of 0 is that 
here m can be any value polynomial in n and there m is fixed at 1 (i.e., by 
setting m = 1 in our protocol, we obtain the exact protocol of 0). Despite this, 
our proof is different and works for any m = poly(n) whereas the proof of jSj 
relies heavily on m = 1 (or at the most m = O(logn))0 Furthermore, there 
is a conceptual difference in the role of the two zero-knowledge proofs in the 
protocol. In 0, these proofs are used in order to obtain augmented coin-tossing 
(and are not needed for the case that F is the identity function). However, here 
these proofs are used for obtaining coin-tossing of m = poly(n) coins in parallel, 
even when F is the identity function. 



5 Perfect Coin- Tossing 

In this section we present a constant-round protocol for perfect coin tossing. By 
perfect coin tossing, we mean that the output distribution of a real execution is 
statistically close to the output distribution of the ideal process (rather than the 
distributions being only computationally indistinguishable as required by secure 
computation); see Theorem 0 As in the previous section, the functionality we 
consider is that of augmented coin tossing: (1", 1") >->• {Um, F{Um))- 

The protocol is almost identical to Protocol 0 except that the commitment 
scheme used is perfectly hiding and the zero-knowledge arguments are perfect. 
These primitives are known to exist assuming the existence of families of clawfree 
functions or collision-resistant hash functions. Thus we rely here on a (seemingly) 
stronger assumption than merely the existence of one-way functions. We note 
that Protocol 0 is a protocol for perfect coin tossing of a single bit and thus 
perfect coin tossing of m coins can be achieved in 0(rn) rounds (see the proof 
in 0 which actually demonstrates statistical closeness). In this section we show 
that perfect coin tossing of polynomially many coins can also be achieved in a 
constant number of rounds. 

Protocol 3 (Augmented Perfect Goin- Tossing) : 

An augmented perfect coin-tossing protocol is constructed by taking Protocol 0 
and making the following modifications: 

• The commitment sent by Party 1 in Step 1 is perfectly hiding. 

• The proof of knowledge provided by Party 1 in Step 2 is perfect zero- 
knowledge. 

• The proof provided by Party 1 in Step 5 is a perfect zero-knowledge proof 
of knowledge. (Recall that in Protocol 0 this proof need not be a proof of 
knowledge.) 

In private communication, Goldreich stated that he did not know whether or not his 
protocol 0 can be parallelized. 
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Constant-round perfect zero-knowledge arguments of knowledge are known 
to exist assuming the existence of constant-round perfectly hiding commit- 
ment schemes m Furthermore, constant-round perfectly-hiding commitment 
schemes can be constructed using families of clawfree PH or collision-resistant 
hash functions These commitment schemes work by having the receiver 

first uniformly choose a function / from the family designated in the proto- 
col. The receiver then sends / to the sender who uses it to commit to a string 
by sending a single message. Thus, using such a scheme. Protocol 0 begins by 
Party 2 choosing a function / from a clawfree or collision-resistant family and 
sending it to Party 1. Then, Party 1 commits using /. 

We stress the use of arguments of knowledge for both proofs here, whereas 
in Protocol El the proof of Step 5 need not be a proof of knowledge. The reason 
for this is that since the commitment is perfectly hiding, c is essentially a valid 
commitment to every si S {0,1}™. Thus, every y is “consistent” with c and 
S2- Therefore, what we need to ensure is that y is consistent with S2 and the 
decommitment of c that are known to Party 1. This can be accomplished using 
a proof of knowledge. 

Theorem 9 Assuming the existence of perfectly -hiding commitment schemes, 
Protocol\3 is a secure protocol for augmented perfect coin-tossing. That is, there 
exists an efficient transformation of every admissible pair of probabilistic expected 
polynomial-time machines for the real model (Ai,A 2 ) into an admissible pair 
of probabilistic expected polynomial-time machines for the ideal model (i?i,i?2), 
such that 

(ideal^^aM-)} i |real^^_3(lM'‘)} 

where f is the augmented coin-tossing functionality and II 2 denotes Protocol\^ 

The proof of this theorem is very similar to the proof of Theorem 0 the main 
difference being with respect to the fact that the initial commitment is not 
perfectly binding. 
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Abstract. The fundamental operation in elliptic curve cryptographic 
schemes is the multiplication of an elliptic curve point by an integer. This 
paper describes a new method for accelerating this operation on classes 
of elliptic curves that have efficiently-computable endomorphisms. One 
advantage of the new method is that it is applicable to a larger class 
of curves than previous such methods. For this special class of curves, a 
speedup of up to 50% can be expected over the best general methods for 
point multiplication. 



1 Introduction 

Let E be an elliptic curve defined over a finite field Fg. The dominant cost op- 
eration in elliptic curve cryptographic schemes is point multiplication, namely 
computing kQ where Q is an elliptic curve point and k is an integer. This op- 
eration is the additive analogue of the exponentiation operation in a general 
(multiplicative-written) finite group. The basic technique for exponentiation is 
the repeated square-and-multiply algorithm. Numerous methods for speeding up 
exponentiation and point multiplication have been discussed in the literature; 
for a survey, see 111112117!. These methods can be categorized as follows: 

1. Generic methods which can be applied to speed up exponentiation in any 
finite abelian group, including: 

a) Gomb techniques (e.g. US]) which precompute tables which depend on 
Q. Such techniques are applicable when the base point Q is fixed and 
known a priori, for example in EGDSA signature generation. 

b) Addition chains which are useful when k is fixed, for example in RSA 
decryption. 

c) Windowing techniques which are useful when the base point Q is not 
known a priori, for example in Diffie-Hellman key agreement. 

d) Simultaneous multiple exponentiation techniques for computing expres- 
sions kiQi -I- k 2 Q 2 H b ktQt, for example in EGDSA signature verifi- 

cation. 

2. Exponent recoding techniques which replace the binary representation of k 
with a representation which has fewer non-zero terms (e.g, nmni). 

3. Methods which are particular to elliptic curve point multiplication such as: 
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a) Selection of an underlying finite field which enables faster field arith- 
metic. For example, selection of a prime field Fp where p is a Mersenne 
prime or a Mersenne-like prime EH, or an optimal field extension |g. 

b) Selection of a representation of the underlying finite field which enables 
faster field arithmetic. For example, selection of an irreducible trinomial 
as the reduction polynomial for binary extension fields. 

c) Selection of a point representation which enables faster elliptic curve 
arithmetic 0. 

d) Selection of an elliptic curve with special properties, for example Koblitz 
curves m- 

Koblitz curves are elliptic curves defined over F 2 , and were first proposed 
for cryptographic use in ini The primary advantage of Koblitz curves is that 
the Frobenius endomorphism can be exploited to devise fast point multiplication 
algorithms that do not use any point doublings [22E2- These techniques can be 
generalized to use arbitrary endomorphisms but are generally not efficient. 

The contribution of this paper is a new technique for speeding up point 
multiplication of elliptic curves having an efhciently-computable endomorphism. 
While the technique is not as efficient as the methods of Solinas |d()ld2| for 
Koblitz curves, they are useful for speeding up point multiplication on a larger 
class of elliptic curves, for example certain curves over prime fields. Such ellip- 
tic curves over prime fields have been included in the WAP WTLS (Wireless 
Transport Layer Security) standard |23]. We believe the ideas discussed in this 
paper are new (though not difficult). In particular, we believe that the approach 
of decomposing k modulo n, and applying just one application of the endomor- 
phism is different than the methods of previous papers. The result is a technique 
which works on a wider class of curves (in particular, curves defined over prime 
fields), and works with endomorphisms whose computational cost is not neces- 
sarily cheaper than a point operation. For this class of curves, a speedup of up 
to 50% can be expected over the best general methods for point multiplication. 

The remainder of this paper is organized as follows. 33 defines an endomor- 
phism and reviews how the Frobenius endomorphism can be used to speed up 
point multiplication on Koblitz curves. Our new work for speeding up point mul- 
tiplication on elliptic curves which have efhciently-computable endomorphisms 
is described in 31 and 31 The security of the new method is considered in 31 
Finally, we draw our conclusions and discuss avenues for future work in 31 

2 Endomorphisms 

Let E be an elliptic curve dehned over the hnite held Fg. The point at inhnity is 
denoted by O. For any n > 1, the group of F^n -rational points on E is denoted 
byif(F,.). 

An endomorphism of if is a rational map (f> : E ^ E satisfying = O 

m- If the rational map is dehned over F^, then the endomorphism (f) is also said 
to be dehned over Fg. In this case, (() is a group homomorphism of E(¥q), and 
also of E(¥qn.) for any n > 1. 
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Example 1. Let E be an elliptic curve defined over F^. For each to G Z the 
multiplication hy to map [to] : E ^ E defined by P i— > toP is an endomorphism 
defined over F^. A special case is the negation map defined by P i— >■ — P. 

Example 2. Let E be an elliptic curve defined over F^. Then the power map 
(j) : E ^ E defined by (x, y) i— >■ y‘^) and O i—7> O is an endomorphism defined 

over F,j, called the Frobenius endomorphism. Since exponentiating to the 
power is a linear operation in F^n, computation of <^(P) is normally quite fast. 
For example, if a normal basis of F^n over Fg is used, this computation can be 
implemented as a cyclic shift of the vector representation. 

Example 3 (%7.2.3 of m- Let p = 1 (mod 4) be a prime, and consider the 
elliptic curve 

El : y'^ = x^ + ax (1) 

defined over Fp. Let a G Fp be an element of order 4. Then the map <j) : Ei ^ Ei 
defined by (x,y) i— >■ {—x,ay) and O i— >■ O is an endomorphism defined over Fp. 
If P G P(Fp) is a point of prime order n, then cj) acts on (P) as a multiplication 
map [A], i.e., = XQ for all Q £ (P), where A is an integer satisfying A^ = — 1 

(mod n). Note that 4>{Q) can be computed using only one multiplication in Fp. 

Example 4 (%7.2.3 of m- Let p = 1 (mod 3) be a prime, and consider the 
elliptic curve 



p2 : y'^ = x^ + b (2) 

defined over Fp. Let /3 G Fp be an element of order 3. Then the map 4> : E2 ^ E2 
defined by (cc, y) 1— >■ {j3x, y) and O 1— O is an endomorphism defined over Fp. If 
P G P(Fp) is a point of prime order n, then (f acts on (P) as a multiplication 
map [A], where A is an integer satisfying A^ + A = —1 (mod n). Note that (f{Q) 
can be computed using only one multiplication in Fp. 



Example 5 (%7.2.3 of W- Let p > 3 be a prime such that —7 is a perfect square 
in Fp, and let w = (1 + \APZ)/2, and let o = (w — 3)/4. Consider the elliptic 
curve 

P3 : y^ = x^ — ^x^ — 2x — 1 (3) 

defined over Fp. Then the map 4> : E3 ^ E3 defined by 



(x,y) ^ 




u^-^y 



x^ — 



{x 



2ax + a; A 

) 



and O I— )■ O is an endomorphism defined over Fp . Computing the endomorphism 
is a little harder than doubling a point. 
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Example 6 (%14B of W- Let p > 3 be a prime such that —2 is a perfect square 
in Fp, and consider the elliptic curve 

Ei : y'^ = - 30x - 28 (4) 

defined over Fp. Then the map 4> ■. E/^ ^ E^ defined by 

, . / 2x"^ + 4x + 9 2cc^ + 8a; — 1 \ 

<"■"> " [- 4(x + 2) ■ ~ i^i, + 2r V 

and O O is an endomorphism defined over Fp . Computing the endomorphism 
is a little harder than doubling a point. 

The existing methods 1131141201291321 for point multiplication which exploit 
efficiently-computable endomorphisms all use the Frobenius endomorphism. Let 
E be an elliptic curve defined over a small field F^, and let (f) be the Frobenius 
endomorphism. To compute kP, where P C E{¥q-n.), these methods first compute 
k' = k mod — 1) in the ring Then, one computes a (^-adic expansion 

k' = X)i=o where the are elements of a small set, e.g., {—q/2 , . . . , q/2}, 

and t K, n. Finally, kP can be efficiently computed as follows: 

t 

kP = k'P = ^d(t>\P). (5) 

The expression can be evaluated using traditional windowing techniques. 
Observe that the (slow) point doublings in traditional repeated add-and-double 
algorithms have been replaced by (fast) evaluations of the Frobenius map. 

The methods based on Frobenius map expansions can in principle be ex- 
tended to an arbitrary endomorphism if. However, these techniques will no longer 
be efficient if computing if is more expensive than a point doubling. Further- 
more, one may not have if^ — 1 = 0, so the ■i/;-adic expansion of k may be 
significantly longer than the binary expansion of k. Finally, the existing tech- 
niques do not apply when Norm('0) = 1 (as is the case in Examples El and E| 
since these techniques require a division operation by if which yield a nontrivial 
remainder having norm less than Norm('0). 

In the next section, we present a new method that exploits efficiently- 
computable endomorphisms such as the ones in Examples El S Eland El to speed 
up point multiplication. 

3 Using Efficient Endomorphisms 

Let E be an elliptic curve defined over Fg, and let P G E{¥q) be a point of 
prime order n. Let (f be an endomorphism defined over F^, and suppose that the 
characteristic polynomial of (f has a root A modulo n — since the characteristic 
polynomial of an endomorphism has degree two we expect that roughly half of 
all curves will have a root modulo n. The map (f acts on (P) as a multiplication 
map [A]. 
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The methods described will be advantageous if computing (f) costs less than 
computing about (log 2 ri)/3 point doublings. In practice, we expect the algorithm 
to be applied when the cost of (j) is less than (say) 5 point doubles. 

The problem we consider is that of computing kP for k selected uniformly at 
random from the interval [1 , n — 1] . The basic idea of the paper is as follows. Sup- 
pose that we can efficiently write k = ki + & 2 A mod n, where ki,k 2 € [0, |"\Arl] 
(see 0). Then we have 



kP = {k\ + k2\)P 
= kiP+k2{XP) 

= kiP+k2(p{P). (6) 

Now (0 can be computed using any of the ‘simultaneous multiple exponentia- 
tion’ type algorithm^j, the simplest of which we review below. In the following, 
{ut-i, ... , ui, uq )2 denotes the binary representation of the integer u, and w is 
the window width. 

Algorithm 1. Simultaneous multiple point multiplication 

Input; w,u= {ut-i , . . . ,mi,uo)2, v = (ut-i, • ■ ■ ,vi,vq)2, P,Q. 

Output; uP + vQ. 

1. Compute iP + jQ for all i, j G [0, 2^" — I]. 

2. Write u = . . . , and v = , . . . , v^,v^) where each m* and 

v'‘ is a bitstring of length w, and d = \t/w'\ . 

3. R^O. 

4. For i from d — 1 downto 0 do 

4.1 R^2^R. 

4.2 R^R+{u^P + v^Q). 

5. Return(R). 



Analysis. Since the bitlengths of ki and k 2 in (0) are half the bitlength of fc, 
we might expect to obtain a significant speedup because we have eliminated a 
significant number of point doublings at the expense of a few point additions. A 
precise analysis is complicated due to the large number of point multiplication 
techniques available. Nevertheless, the following provides some indication of the 
relative benefits of our method. 

Assume that k is a randomly selected t-bit integer. When t = 160, Algo- 
rithm 2 of m (an exponent recoding and sliding window algorithm) is among 
the best algorithms for computing kP. This method costs approximately 157 
point doubles and 34 point additions using windows of size 4 CHI. To compare 
this traditional method with the proposed method, we need an algorithm for 
computing kiP + k 2 Q (where in our case Q = 4>{P)). The following is straight- 
forward and useful for our purposes, but we cannot find a reference for it. 

^ These are also known as ‘exponentiation using vector-addition chains’, ‘Shamir’s 
trick’, or ‘multi-exponentiation’. 
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Algorithm 2 of m can be combined with the simultaneous multiple exponen- 
tiation technique of Algorithm Q to give an algorithm which is among the best 
m for computing kiP -I- k 2 Q. Essentially, this combined algorithm computes 
eP and eQ for the integers e corresponding to allowable windows, then writes 
each of k\ and k 2 in signed windowed-NAF form as in m- Finally a left-to-right 
algorithm is used to iteratively double a common accumulator and add in an 
eP or eQ as appropriate. After max{log 2 fci,log 2 ^ 2 } iterations, the accumulator 
holds the desired kiP + k 2 Q. 

Using this algorithm in the proposed method to compute kP = kiP+k 2 {XP) 
costs approximately 79 point doubles and 38 point additions (when using win- 
dows of size 3 CHI) plus 1 evaluation of the map 4>. If the cost of a point doubling 
is 8 field multiplications and the cost of a point addition is 11 field multiplica- 
tions (as is the case with Jacobian coordinates ^), then the ratio of the running 
times of the proposed method to the traditional method is ~ 0.66. Thus the 
new method for point multiplication is roughly 50% faster than the traditional 
method when t = 160. As the bitlength of k increases, the ratio essentially de- 
creased and so the relative performance of the new method gets better. For 
example, with a bitlength of t = 512, the ratio is about .62. 



Remark. If computing cj) is cheaper than a point addition, then a few additions 
can be saved as follows. In the above ‘simultaneous windowed-NAF’ method 
for computing k\P + /C 2 Q, we initially compute and store points eP and eQ for 
small values of e.HQ = </>(T’), and computing (j) is cheaper than a point addition, 
then we can instead compute eQ = e(j){P) = 4>{eP). For example, in the width- 
3 windowed method of CHI, computing k\P + k24>{P) saves 3 additions at the 
expense of 3 additional applications of (j). 

Example 7. An example of an elliptic curve for which our new method is appli- 
cable is 



E : = x^ + 3 



over the prime field Fp, where 

p = 1461501637330902918203684832716283019655932313743 
is a 160-bit prime, and 

#F(Fp) = 1461501637330902918203687013445034429194588307251 
is prime. This curve is included in the WAP specification of the WTLS protocol 

m- 



^ There are occasional minor bumps corresponding to window size changes. 
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4 Decomposing k 

In this section we describe an algorithm which takes as input integers n, A and 
/c Sfl [1, n — 1], and returns integers ki and ^2 such that k = ki + k 2 \ (mod n). 
The integers ki and ^2 returned are distinguished in that they are both small 
or, equivalently, the vector (fci, fc 2 ) G Z x Z has small Euclidean norm. The term 
“small” will be made precise below. 

Let G = Z X Z and consider the homomorphism / : G — >■ Z„ defined by 
(b j) + naod n. We wish to find a short vector u £ G such that f{u) = k; 
the components of u can then be used as the required k\ and k 2 - Note that it is 
easy to find a vector v £ G such that f{v) = k; v = (fc, 0) is such a vector. The 
problem is in finding a vector that is also short. 

Our approach is the following. We first find linearly independent short vectors 
vi,V 2 £ G such that /(ui) = f{v 2 ) = 0. We then find a vector v in the integer 
lattice generated by vi and V 2 that is close to (fc, 0). It then follows that u = 
(k,0) — u is a short vector with f(u) = f((k,0)) — f{v) = k. Note that both 
subproblems can be solved using lattice basis reduction algorithms. However, 
the direct methods presented here are far less cumbersome to implement. 



Finding and v^- The problem of finding two independent short vectors 
V\,V 2 such that f{v\) = f{v 2 ) — 0 can be solved using the extended Euclidean 
algorithm. We apply the extended Euclidean algorithm to find the greatest com- 
mon divisor of n and A. (This gcd is 1 since n is prime.) The algorithm produces 
a sequence of equations 



SiU + tiX = Tj, for i = 0, 1, 2, . . . , (7) 

where sq = 1, to = 0> ?'o = n, si = 0, ti = 1, ri = A, and > 0 for all i. The 
following properties of the extended Euclidean algorithm are well-known and 
can be easily proven by induction. 

Lemma 1. Let Si, ti, ri be the sequenee of variables in Q) produeed by an 
applieation of the extended Euelidean algorithm to positive integers n and A. 

(i) ri > Ti+i > 0 for all i > 0. 

(a) \s^\ < \si+i\ for i > 1. 

(Hi) \ti\ < \ti+i\ for i > 0. 

(iv) ri_i|ti| -I- ri\ti_i \ = n for all i > 1. 

Let m be the greatest index for which > ^/n. Then rm\tm+i\+rm+i\tm\ = 
n, and \tm+i\ < y/n. We take vi = (r^+i, -tm-i-i). By 0 we have /(ui) = 0. 
Also, since |tm-i-i| < y/n and Ir^-i-il < y/n, we have ||ui|| < -\/2n- We also take 
V 2 to be the shorter of {rm,—tm) and (rm+ 2 , —tm+ 2 )- j^ain by J3), we have 
/(r> 2 ) = 0. Heuristically one expects that V 2 is also shortQ Observe that vi and 
V 2 are linearly independent since otherwise if V 2 = {rm,—tm) (say), then 

^ Experiments with various values of A also validate this assumption. It is impossible 
to prove this without further restrictions; for example consider A = n — 1. 
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^m+l ^m+1 ^m+1 

T — f f ^ 

but rm+ifrm < 1 by LemmaGIi) and \tm+i/tm\ > 1 by Lemma Q](iii). 

Notice that since vi and V 2 only depend on n and A (and not on k), they can 
be precomputed if n and A are shared domain parameters. 



Finding v. A vector v in the integer lattice generated by vi and V2 that is close 
to (k, 0 ) can be easily found using elementary linear algebrafp. By considering 
(fc,0), vi and V2 as vectors in Q x Q, we can write (fc,0) = PiVi + / 32 V 2 , where 
/3 i,/ 32 € Q. Then round /3i, /?2 to the nearest integers: bi = 62 = L/^sl- 

Finally, let v = b^vi + 62^2- 

The following proves that the vector u is indeed short. 

Lemma 2. The vector u = {k, 0) —v, where v is constructed as above, has norm 
at most max(||ui||, ||u2||)- 

Proof. We have 



u = (k,0) — V 

= iPlVl + (i2V2) - + b2V2) 

= (/ 3 i - bi)vi + (/?2 - b2)v2- 

Finally, since |/3i — 6i| < \ and |/32 — &2I < by the Triangle Inequality we have 

I|m|| < sikill + 5l|f2|| 

< max(||ui||, ||-y2||)- 



□ 



5 Security Considerations 

Elliptic curves having efhciently-computable endomorphisms should be regarded 
as “special” elliptic curves. Using “special” instances of cryptographic schemes 
is sometimes done for efficiency reasons (for example the use of low encryption- 
exponent RSA, or the use of small subgroups hidden in a larger group as with 
DSA). However in any instance of a cryptographic scheme, there is always the 
chance that an attack will be forthcoming that applies to the special instance 
and significantly weakens the security. Such is the case here as well. 

When selecting an elliptic curve E over for cryptographic use, one must 
ensure that the order ffE(¥q) of the elliptic curve is divisible by a large prime 
number n (say n > in order to prevent the Pohlig-Hellman and Pol- 
lard’s rho attacks. In addition, one must ensure that ffE{¥g) ^ qin order 

to prevent the Semaev-Satoh-Araki-Smart attack mm, and that n does not 
divide g* — 1 for all I < i < 20 in order to prevent the Weil pairing m and 
Tate pairing attacks 0. Given a curve satisfying these conditions, there is no 
attack known that significantly reduces the time required to compute elliptic 
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curve discrete logarithms. Many such curves having efficient endomorphisms ex- 
ist and hence appear suitable for cryptographic use. One attack on the elliptic 
curve discrete logarithm problem on such curves is along the lines of jHI and m- 
The application of such ideas does not reduce the time to compute a logarithm 
by more than a small factor. 

The number of curves for which this technique applies seems to be reasonably 
large. For instance, one of the Examples and 0 provide a candidate for 

most primes p. 



6 Conclusions and Further Work 

We described a new method for accelerating point multiplication on classes of 
elliptic curves that have efficiently-computable endomorphisms. The new method 
for point multiplication is roughly 50% faster than the best general methods. One 
advantage of the new method is that it is applicable to a larger class of curves 
than previous such methods. For example, the method is applicable to classes 
of curves over prime fields and, in particular, is well suited to two curves over 
prime fields included in the WAP WTLS specification. 

One direction in which our method can be generalized is to use higher powers 
of the endomorphism. For example, one could write k = ki + k 2 X + k^X^ mod n 
for t/3-bit integers ki,k 2 ,k 3 . This could be done by first finding three lin- 
early independent vectors vi,V 2 ,V 3 in Z x Z x Z each of length roughly 
and lying in the kernel of the homomorphism / : Z x Z x Z defined by 
{x, y,z) I— >■ X + yX + zX^ mod n. Experimentally, we found that if A satis- 
fies X^ — TX + N = 0 mod n for a random prime n, random T (Trace) and 
random N (Norm), then the application of LLL to the lattice generated by 
{(A^, 0, —1), (A, —1, 0), (0, A, —1), (n, 0, 0), (0, n, 0), (0, 0, n)} results in 3 indepen- 
dent vectors of length about provided at least one of N, T has magnitude at 
least n}^^. In this case the application of ‘simultaneous multiple exponentiation’ 
type techniques yield an even better improvement over traditional algorithms, 
with the relevant ratio around 1/2. 

We warn that generating k by simply choosing k\,k 2 , fcs first requires care: 
for example, if A^ -I- A -I- 1 = 0 mod n (as in Example EJ then fci -I- k 2 X + k^X'^ = 
{ki — k^) + {k 2 — k-i)X mod n. Thus simply choosing fci, /c 2 , k^ randomly in [0, o}/^] 
and setting k = k\ + k 2 X + k^X"^ mod n will result in a /c having a considerable 
bias, and consequently the resulting cryptographic scheme may be susceptible to 
an attack like Bleichenbacher’s attack Pj on the DSA as specified in FIPS 186. 

Acknowledgements. The authors would like to thank Charles Lam, Alfred 
Menezes, and John Proos for several very helpful comments and suggestions. 
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Abstract. Let E/Fp be an elliptic curve, and G € E/Fp. Define the 
Difiie-Hellman function as DHE,G(aG', hG) = abG. We show that if there 
is an efficient algorithm for predicting the LSB of the x or y coordinate of 
ahG given (E, G, aG, bG) for a certain family of elliptic curves, then there 
is an algorithm for computing the DifRe-Hellman function on all curves 
in this family. This seems stronger than the best analogous results for 
the Difiie-Hellman function in F*. Boneh and Venkatesan showed that in 
Fp computing approximately (logp)^'^^ of the bits of the DifSe-Hellman 
secret is as hard as computing the entire secret. Our results show that 
just predicting one bit of the Elliptic Curve Difiie-Hellman secret in a 
family of curves is as hard as computing the entire secret. 



1 Introduction 

We recall how the Difiie-Hellman key exchange scheme works in an arbitrary 
finite cyclic group Q of order T. Let 5 be a generator g oi Q . Then to establish 
a common key, two communicating parties, Alice and Bob execute the following 
protocol, see |15I25| : Alice chooses a random integer x £ [1, T — 1], computes and 
sends X = to Bob. Bob chooses a random integer y £ [1,T — 1], computes 
and sends Y = g^ to Alice. Now both Alice and Bob can compute the common 
Diffie-Hellman secret 

k = y^ = xy = g^y. 

The Computational Diffie-Hellman assumption (CDH) in the group Q states that 
no efficient algorithm can compute g^y given g,g^,gy. However, this does not 
mean that one cannot compute a few bits of g^y or perhaps predict some bits of 
g^y. In fact, to use the Diffie-Hellman protocol in an efficient system one usually 
relies on the stronger Decision Diffie-Hellman assumption (DDH) 0. Ideally, 
one would like to show than an algorithm for DDH in the group Q implies an 
algorithm for CDH in Q. As a first step we show that, in the group of points 
of an elliptic curve over a finite field, predicting the least significant bit (LSB) 
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of the Difhe-Hellman secret, for many curves in a family of curves, is as hard 
as computing the entire secret. Such results were previously known for the RSA 
function m but not for Difhe-Hellman. 

Let p be prime and let [sj ^ denote the remainder of an integer s on division 
by p. We also use logz to denote the binary logarithm of z > 0. In the classical 
settings G is selected as the multiplicative group F* of a hnite held of p elements 
(and thus g is a primitive root of Fp). In this case, Boneh and Venkatesan 
showed that about log^^^p most signihcant bits of [g^^\p are as hard to hnd as 
[ 9 ^^ \p itself. The result is based on lattice reduction techniques. A similar result 
holds for the least signihcant bits as well. Gonzalez Vasco and Shparlinski unj 
used exponential sums to extend this result to subgroups Q of F*. It has turned 
out that the lattice reduction technique used in 0 coupled with the exponential 
sum technique lead to a series of new results about the bits security of some 
cryptographic constructions |11I14I22|2H) as well as to attacks on some of them 0 

ITM7ITBI . 

However the case where G is the point group of an elliptic curve has turned 
out to be much harder for applications of the lattice reduction based technique 
of 13 because of the inherited nonlinearity of the problem. Although some results 
have recently been obtained in ^ they are much weaker that those known for 
subgroups of F*. Here, using a very different technique, we show that working 
with a certain family of isomorphic curves (rather than with one fixed curve) 
allows to obtain results that are stronger than those known for subgroups of 
F*. By using certain twists of the given curve we show that predicting the least 
significant bit of the elliptic curve Difhe-Hellman secret in a family of curves is 
as hard as computing the entire secret. Since our techniques work with many 
curves at once they do not extend to the case of subgroups of F*. 

2 Elliptic Curve DifRe— Heilman Scheme 

Throughout the paper we let p be a prime and let Fp be the hnite held of size 
p. Let E be an elliptic curve over Fp, given by an affine Weierstrass equation of 
the form 

+ AX + B, 4A3-k27H^y^0 (1) 

It is known m that the set E(Fp) of Fp-rational points of E form an Abelian 
group under an appropriate composition rule and with the point at inhnity O 
as the neutral element. We also recall that 

\N-p-l\< 2pi/2^ 

where N = |E(Fp)| is the number of Fp-rational points, including the point at 
inhnity O. 

Let G £ E be a point of order q, that is, q is the size of the cyclic group 
generated by G. Then the common key established at the end of the Difhe- 
Hellman protocol with respect to the curve E and the point G is abG = {x, ?/) £ E 
for some integers a,b £ [1, g — 1]. 
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Throughout the paper we use the fact that the representation of E contains 
the field of definition of E. With this convention, an algorithm given the rep- 
resentation of E/Fp as input does not need to also be given p. The algorithm 
obtains p from the representation of E. 

Diffie-Hellman Function: Let E be an elliptic curve over Fp and let G G E be a 
point of prime order q. We define the Difhe-Hellman function as: 

DHE.G(aG,5G) = abG 

where a, b are integers in [1, g— 1]. The Diffie-Hellman problem on E is to compute 
DHe,g(-P:Q) given E,G,P,Q. Clearly we mostly focus on curves in which the 
Diffie-Hellman problem is believed to be hard. Throughout we say that a random- 
ized algorithm A computes the Diffie-Hellman function if ^(E, G, aG, bG) = abG 
holds with probability at least 1 — 1/p. The probability is over the random bits 
used by A. 

Twists on elliptic curves: Let E be an elliptic curve over Fp given by the Weier- 
strass equation + Ax + B. Our proofs rely on using certain twists of the 

elliptic curve. For A G F* define </'a(E) to be the (twisted) elliptic curve: 

+ AX'^X + ( 2 ) 

We remark that 4(HA^)^ -I- 27(i?A®)^ = (4H^ -|- 27H^)A^^ yf 0 for A G F*. Hence, 
(/a(E) is an elliptic curve for any A G F*. Throughout the paper we are working 
with the family of curves {(/a(Eo)}agf* associated with a given curve Eg. 

It is easy to verify that for any point P = (x,y) £ E and any A G F* the 
point Pa = {xX‘^,yX^) G </a(]E). Moreover, from the explicit formulas for the 
group law on E and </)a(E), see p2l24j . we derive that for any points P,Q,R gE 
with P -I- Q = P we also have P\ + Q\ = R\. In particular, for any G G E we 
have: 

xG\ = {xG)\, yG\ = {yG)\, xyG\ = {xyG)\. 

Hence, the map </>a : E — >■ </>a(E) mapping P G E to Pa G />a(E) is a homomor- 
phism. In fact, it is easy to verify that (j)\ is an isomorphism of groups. This 
means that 

DH0^(e)_G;,(Pa,Qa) = </>a[DHe,g(P, <3)]- 

Hence, if the Diffie-Hellman function is hard to compute in E then it is also hard 
to compute for all curves in {i/)a(E)}agf;- 

3 Main Results 

We denote by LSB(z) the least signifieant bit of an integer z > 0. When z G Fp we 
let LSB(z) be LSB(a:) for the unique integer x G [0,p— 1] such that x = z mod p. 
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Let p be a prime, and let E be an elliptic curve over Fp. Let G G E be a point 
of order q, for some prime q. We say that an algorithm A has advantage e in 
predicting the LSB of the x-coordinate of the Difhe-Hellman function on E if: 






Pr[A(E,G, aG,bG) 

a,b 



LSB(x)] 



1 

2 



> e 



where abG = {x,y) G E and a, 6 are chosen uniformly at random in [ 1,(7 — 1]. 
We write Advj^g(^) > e. Similarly, we say that algorithm A has advantage e in 
predicting the LSB of the y-coordinate of the Difhe-Hellman function if: 






Pr[H(E,G,aG, bG) 

a,b 



LSB(y)] 



1 

2 



> e 



where abG = (x,y) G E. We write Advg g(A) > e. 

The following result shows that no algorithm can have a non-negligible ad- 
vantage in predicting the LSB of the x or y coordinates of the Difhe-Hellman 
secret for many curves in {^a(1Eo)}agfj) unless the Difhe-Hellman problem is 
easy on Eg. 



Theorem 1. Let e, 5 G (0, 1). Let p he a prime, and let Eg be an elliptic curve 
oxer Fp. Let G G Eg &e a point of prime order. Suppose there is a t-time algorithm 
A such that either: 

1. ^ least a 5-fraction of the X G F*, or 

2. ^ least a S-fraction of the A G F*. 

Then the Diffie- Heilman function DHeq, g(-P;Q) can be computed in expected 
time t ■ r(logp, where T is some fixed polynomial independent of p and Eg. 

Theorems [D shows that, if the Difhe-Hellman problem is hard in Eg, then 
no efficient algorithm can predict the least signihcant bit of the X or Y coordi- 
nates of the Difhe-Hellman function for a non-negligible fraction of the curves in 
{^A(Eg)}AGF;- The proof of Theorem [Dis given in SectionEl Note the theorem 
does not give a curve in {</);,(Eg)}>,gr. for which the LSB of the X coordinate is 
a hard-core bit — it can still be the case that for every curve E G {</)A(Eg)}AGF* 
there is an efficient algorithm that predicts the LSB of DHe,g for that curve only. 
However, there cannot be a single efficient algorithm that predicts this LSB for 
a non-negligible fraction of the curves in {(/>A(Eg)}AGE*- 

An immediate corollary of Theorem Q gives a hard core predicate for a simple 
extension of the Difhe-Hellman function. Let DHe g be the function: 

DHe,g(-P, Q, A) = DH,7,,^(e),g>(Ta,<3a) 

where G\ = 4>\{G) and similarly P\,Q\. Note that this function basically uses 
A as an index indicating in which group to execute the Difhe-Hellman protocol. 
Then the LSB of the A or P coordinates is a hard-core bit of this function 
assuming the Difhe-Hellman problem is hard in E. 
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Corollary 1. Let E be an elliptie eurve over Fp and let G gK be of prime order 
q. Suppose there is a t-time algorithm A such that 

Pr [^(E, G, aG, bG, A) = LSB(a;)] > \ + s 
a,b,X 2 

where DH]E_G'(aG', 6G, A) = {x,y) G (/>a(E). Here a,b are uniformly chosen in 
[l,g— 1] and A G F*. Then the Diffie-Hellman function DHeq,g can be computed 
in expected time t ■ T{logp, j) where T is some fixed polynomial independent of 
p and Eq . 

We note that there are other ways of extending the Diffie-Hellman function 
to obtain a hard-core bit EE]. 



4 Review of the ACGS Algorithm 

The proof of Theorem Q uses an algorithm due to Alexi, Chor, Goldreich, and 
Schnorr Q. We refer to this algorithm as the ACGS algorithm. For completeness, 
we briefly review the algorithm here. First, we define the following variant of the 
Hidden Number Problem (HNP) presented in El- 



HNP-CM; Fix an e > 0. Let p be a prime. For an a G Fp let L : F* — >■ {0, 1} be 
a function satisfying 



Pr 
tGF* L 



L(t) = LSB(La-tJp) 






(3) 



The HNP-CM problem is: given an oracle for L(t), find a in polynomial time 
(in logp and 1/e). Clearly we wish to show an algorithm for this problem that 
works for the smallest possible e. For small e there might be multiple a satisfying 
condition (EJ (polynomially many in In this case the list-HNP-CM problem 
is to find the list of all such a G Fp. Note that it is easy to verify that a given 
a belongs to the list of solutions by picking polynomially many random samples 
X G Fp (say, 0(l/£^) samples suffice) and testing that L{x) = LSB([axJp) holds 
sufficiently often. 

We refer to the above problem as HNP-CM to denote the fact that we are 
free to evaluate L{t) at any multiplier t of our choice (the CM stands for Chosen 
Multiplier). In the original HNP studied in |S| one is only given samples ft,L{t)) 
for random t. The following theorem shows how to solve the HNP-CM for any 
e > 0. The proof of the theorem (using different terminology) can be found in fP 
and [Z|. 

Theorem 2 (ACGS). Let p be an n-bit prime and let £ > 0. Then, given e, the 
fo<-HNP-CM problem can be solved in expected polynomial time in n and 1/e. 

Proof Sketch For a G F* let fait) : Fp — >■ {0,1} be a function such that 
fa{t) = LSB ( [otjpj for all t G Fp. It is well known that given an oracle for 
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fa (t) it is possible to recover a using polynomially many queries (polynomial in 
logp). See m or Theorem 7 of jH]- In fact, using the method of P, it suffices 
to make queries only at t for which < p ■ ef2 (as a result the run time is 

polynomial in logp and 1/e). Hence, the main challenge is in building an oracle 
for fa{t) from an oracle for L{t). The ACGS algorithm constructs an oracle for 
fa{t) for every a G F* that satisfies the condition 0). This construction is at 
the heart of the ACSG algorithm. 

Let m = n--^. We show how to evaluate fa{t) given an oracle for the function 
L(t). We first pick random u,v € Fp. We use the same u, v to answer all queries 
to fa (t) ■ We assume that we know the 2 log m most significant bits and the least 
significant bit of \ua\^, This assumption is valid since we intend to run 

the AGGS algorithm with all possible values for these 2+ [4 log m] bits. In one of 
these iterations we obtain the correct values for the 2+ |"41ogm] most significant 
bits and least significant bit of L^^ajp, L^ojp. Note that different guesses for these 
bits will lead to oracles for fa(f) for different values of a. 

For i = 1, . . . , m let = [iu + 'cjp. Then ri, . . . , are pair wise indepen- 
dent values in Fp (over the choice of u,v). One can easily show (as in P0) 
that using the knowledge of the most significant bits of ua, va mod p and the 
least significant bit, it is easy to determine bi = LSB([riaJp) for i = 1, . . . , m. 
Therefore, to evaluate fa{t) do the following: 

1. Evaluate = L{t + Vi). Set /i = Ui © bi, for i = 1, . . . ,m, where © denotes 

addition modulo 2. 

2. Respond with fa{t) = Majority(/i, ...,/„). 

For a given i G [l,m] we say that Ui is correct if at = LSB( [a(t + 

Recall that we only make fa{t) queries at t satisfying [ta\p < p-ef2. Therefore, 
[a(t + ri)Jp = [atjp + [o^T’iJp, as integers, with probability at least 1 — e/2. 
Then LSB([a(t + ri)Jp) = LSB([atJp) © LSB([ariJp). It follows that if ai is 
correct then fi = LSB([toJp) with probability at least 1 — e/2. 

Since each is uniformly distributed in Fp (over the choice of u, v) it follows 
that each at is correct with probability at least | + e. Since the rfs are pair 
wise independent it follows that the f/s are pair wise independent. Therefore, 
by Ghebychev’s inequality we obtain the correct value of faif) with probability 
1 — \/n. The exact analysis is given in Since we are able to construct an 
almost perfect subroutine for fa{t) for all a satisfying the condition 0 the 
AGGS algorithm will produce a polynomial (in logp) length list of candidates 
containing all required a. Note that it is easy to verify that a given a in the 
resulting list satisfies the condition 0 by picking polynomially many random 
samples a: G Fp and testing that L{x) = LSB([aa:Jp) holds sufficiently often. □ 

We note that Fischlin and Schnorr Q presented a more efficient algorithm for 
the HNP-CM. They rely on sub-sampling in Step 2 above to reduce the number 
of queries to the oracle for L. 
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5 Quadratic and Cubic Hidden Number Problems 



To prove the main results of Section El we actually need an algorithm for the 
following variant of the HNP-CM problem. 



HNP-CM'^.- Fix an integer d > 0 and an £ > 0. Let p be a prime. For an a G F* 
let : F; — >■ {0,1} be a function satisfying 



Pr 
tGK L 









(4) 



The HNP-CM'^ problem is: given an oracle for find a in polynomial time. 

For small e there might be multiple a satisfying condition 0) (polynomially 
many in e~^). In this case the list- HNP-CM'^ problem is to find all such a G F*. 
We prove the following simple result regarding the list- HNP-CM'^ problem. We 
use this theorem for d = 2 and d = 3. 



Theorem 3. Fix an integer d > 1. Let p he a n-bit prime and let £ > 0. Then, 
given e, the HNP-CM'^ problem can be solved in expected polynomial time in logp 
and d/e. 

Proof. Let be a function satisfying the condition (EJ. Let i? : Fp — >■ (0, 1} 
be a random function chosen uniformly from the set of all functions from Fp to 
(0, 1}. Let S' : Fp — )> Fp be a function satisfying S{xY = x mod p for all a; G Fp 
and chosen at random from the set of such functions. Here Fp is the set of d’th 
powers in Fp. The function S is simply a function mapping a d’th power x G ¥p 
to a randomly chosen d’th root of x. Next, define the following function L{t): 

= ifteF^, 

^ { R{t) otherwise. 



We claim that for any a G F* satisfying the condition 0) we have that L{t) 
satisfies 



Pr 

t,R,S 



L(t) = LSB(La-tJp) 



> - -I- £/d. 



To see this, fix an a G Fp satisfying the condition 0. Let Bt be the event 
that L{t) = LSB ’ ^Jp)- Let B/ be the event that L^‘^\t) = LSB 

Observe that if t is uniform in Fp \ {0} then S{t) is uniform in F*. Let e = 
gcd(p- l,d). 

If e = 1 then Fp = Fp and therefore: 



Pr [Bt]= Pr 
t,R,S t.R,S 






= Pr [Bi] >- + e. 
xgf* l 2 
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Hence, in this case the claim is correct. When e > 1 then the size of \ {0} = 
Fp \ {0} is Therefore: 



Pr [Bt] 

t,R,S 



_ 1 
e 

_ 1 
e 
1 

> - 
e 






Pr 
t,R,S L 



B 



1 

2 +" 



d 

Sit) 




\tew; 








1 1 e 1 £ 

•-=-+->-+- 

2 2 e - 2 d 



and hence the claim holds in this case as well. 

We see that an oracle for with advantage e immediately gives rise 
to an oracle for L with advantage e/d. Hence, we can use the ACGS algo- 
rithm to find the list of solutions to the given HNP-CM'^ problem. When the 
ACGS algorithm runs we build the functions R and S as they are needed 
to respond to ACGS’s queries to L. The ACGS algorithm will produce a 
super set of the solution set to the list-HNP-CM^^ within the required time 
bound. Note that we may need to prune some of the solutions produced by 
the ACGS algorithm: we only output the a’s for which the condition 0) holds. □ 



6 Proof of Main Results 

We are now ready to prove Theorem ^ The proof reduces the problem of com- 
puting the Diffie-Hellman function to the Hidden Number Problem described in 
Section 0 We also use the following two simple lemmas. For a curve E/Fp and 
G S E of order q define: 

FE,GA^)=PABiM^),MG),MaG),MbG)) = LSB(xa)] 

a,b 

where 4>\{abG) = {x\,y\) € (/>a(E) and a,b are uniform in [l,^ — 1]. Note that 
the probability space includes the random bits used by B. 

Lemma 1. Let p be a prime, and let E be an elliptic curve over Fp. Let G G E. 
Suppose there is a t-time algorithm A such that > £ for at 

least a 5 -fraction of the A G F*. 

Then, given e,5, there is a t' -time algorithm B such that: 

(1) for at least a 5-fraction of the A G F* we have that: Fe.g,a('B) > ^ + e/2, 
and 

(2) for the remaining A G F* we have that: Fe,g,a('B) > 5 — x 
Furthermore, t' = t ■ T{l/e5) for some fixed polynomial T independent o/p, E. 

Proof. On input (E, G, P, Q) algorithm B works as follows: 

1. Pick u = (4/ei5)^ random a,b G [l,g — 1] pairs and run A on all tuples 
(E, G, aG, bG). 
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2. let V be the number of runs in which A correctly outputs LSB((a&G)a;). 

3. if u > u/2 then B outputs ^(E, G, P, Q), otherwise B output the comple- 
ment of ^(E, G, P, Q). 

Let T > e<5/4. For all A S F* for which > r we have that B 

satisfies: Pe.g,a(-B) > \ + t/2. This follows directly from Chebychev’s inequality. 
For all other A’s, by definition of Adv(A) we have Pe,g,a('B) > \ — eSj A. Hence, 
both conditions 1 and 2 are satisfied. □ 



Lemma 2. Let B be an algorithm satisfying the two eonditions of Lemma, 171 
Then 

PrpiME),MG),MaG),MbG)) = LSB(xa)] > ^ ^ 

holds with probability at least ^ over the choice of a, b G [ 1,9 — 1], where 
(fx{abG) = {x\,yx). 

Proof. The proof uses a standard counting argument. Algorithm B induces a 
matrix M whose entries are real numbers in [0, 1]. There is a column in M for 
every A G F* and a row for every (a, 6) G [1, q — 1]^. The entry at the A’th column 
and (a, 5)’th row is simply 

Pr [B{f>x{nAx{G)Ax{aG),cl>x{bG)) = LSB(xa)] . 



The probability is over the random bits used by B. Suppose the matrix M has 
n columns and m rows. Since B satisfies the two condition of Lemma □we know 
that the sum of all the entries in M, which we call the weight of M denote by 
weight(M) is at least 



weight (M) > nm 






1 5e 
> nm - H — - 



Let R be the number of the rows in M must have weight at least n[\ + (the 
weight of a row is the sum of the entries in that row) . We have 



Rn + (m — R)j 



eS 



, , ,1 Se 

> weight(M) > nm — I 



Therefore 



The result now follows. 




eS 

~8 




□ 



We also need to review a theorem due to Shoup (Theorem 7 of |2I])- The 
theorem shows that an algorithm that outputs a list of candidates for the Diffie- 
Hellman function can be easily converted into an algorithm that computes the 
Diffie-Hellman function. For concreteness we state the theorem as it applies to 
elliptic curves over Fp. 
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Theorem 4 (Shoup). Let E be an elliptic curve over Fp and let G G ^ be 
an element of prime order q. Suppose there is a t-time algorithm A that given 
aG,bG G E outputs a set of size m satisfying DHe c(aG, 6 G) G A(E, G, aG, 6 G) 
with probability at least 1/8. Then there is an algorithm B that computes the 
Diffie-Hellman function in E in time t' = t(logp) + T(m,\ogp). Here T is a 
fixed polynomial independent of p and E. 

Proof of Theorem Q.' Let E be a curve over Fp and G G E of prime order q. 
Suppose there is an expected t-time algorithm A such that > 

e for at least a i5-fraction of the A G F*. We show how to compute the Difhe- 
Hellman function DHe_g- 

We are given A = aG and B = bG in E. We wish to compute the point 
G = abG G E. We first randomize the problem by computing A = oqA and 
B' = boB for random ao,bo S [1,(? — !]• If G' = DH]E,G(^^^0 G = CqG' 
where Cq = mod q. Hence, it suffices to find G' . Write G' = (xq,?/o)- 

Since </)>,: E —>■ is an isomorphism it follows that 

= /x{G') = (A^xo.A^yo). 

Since A' , B' are uniformly distributed in the group generated by G (excluding O) 
we can apply both Lemma ^ and Lemma 0 to obtain an algorithm B satisfying: 

Pv[B{cj>x{n,MG),/x{A')Ax{B')) = LSB(A"a;o)] > ^ + y (5) 

is true with probability at least eJ/S over the choice of Oq, 6 o in [Ij 9 ~ !]• 

For now we assume that o holds. We obtain an HNP-CM^ problem where 
Xq is the hidden number. To see this, define: 

L(2 )(a) = A(/xm,MG),MA'),MB')). 

Then the condition 0 implies that PrA[L^^i(A) = LSB(A^a;o)] > 5 + ^- We can 
therefore use the algorithm of Theorem 0 to find a list of candidates xi, ... ,Xn G 
Fp containing the desired xq. 

To ensure that condition (jSj) holds, we repeat this process |"8/e5] times and 
build a list of candidates of size 0{n/Se). Then condition (0) holds with con- 
stant probability during one of these iterations. Therefore, the list of candidates 
contains the correct xq with constant probability. By solving for y we obtain a 
list of candidates for G' . That is, we obtain a set S' such that G' G S' C E. 
This list S' can be easily converted to a list of candidates S for G by setting 
5 = {coP I P G ^'}. 

Therefore, we just constructed a polynomial time algorithm (in logp and 
that for any aG, 6 G G E outputs a polynomial size list containing G with 
constant probability. Using Theorem 0 this algorithm gives an algorithm for 
computing the Diffie-Hellman function in E in the required time bound. 

To complete the proof of the theorem we also need to consider an algorithm 
predicting the LSB of the y-coordinates. That is, suppose there is an expected 
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t-time algorithm A such that > e for a 5-fraction of A £ F*. 

We show how to compute the Diffie-Hellman function DHe g. The proof in this 
case is very similar to the proof for the ^-coordinate. The only difference is that 
since we are using the Y coordinate we obtain an HNP-CM^ problem. We use 
Lemma^and Lemma|2|to obtain an HNP-CM^ oracle with advantage sS/8 in 
predicting LSB(A^yo)- The theorem now follows from the algorithm for HNP-CM^ 
given in Theorem 0 

□ 



7 Conclusions 

We have showed that no algorithm can predict the LSB of the X and Y coor- 
dinates of the elliptic curve Diffie-Hellman secret for a non-negligible fraction 
of the curves in {(/)>(Eo)}agf*) assuming the Diffie-Hellman problem is hard 
on some curve Eq £ {^a(Eo)j-agf* • Our proofs use reductions between many 
curves by randomly twisting the curve Eq. We hope these techniques will even- 
tually lead to a proof that if CDH is hard on a certain curve E then the LSB of 
Diffie-Hellman is a hard core predicate on that curve. 
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Abstract. We propose a fully functional identity-based encryption 
scheme (IBE). The scheme has chosen ciphertext security in the random 
oracle model assuming an elliptic curve variant of the computational 
Diffie-Hellman problem. Our system is based on the Weil pairing. We 
give precise definitions for secure identity based encryption schemes and 
give several applications for such systems. 

1 Introduction 

In 1984 Shamir j2Y) asked for a public key encryption scheme in which the public 
key can be an arbitrary string. In such a scheme there are four algorithms: (1) 
setup generates global system parameters and a master-key, (2) extract uses the 
master-key to generate the private key corresponding to an arbitrary public key 
string ID S {0, 1}*, (3) encrypt encrypts messages using the public key ID, and 
(4) decrypt decrypts messages using the corresponding private key. 

Shamir’s original motivation for identity-based encryption was to simplify 
certificate management in e-mail systems. When Alice sends mail to Bob at 
bob@hotmail.com she simply encrypts her message using the public key string 
“bob@hotmail.com”. There is no need for Alice to obtain Bob’s public key cer- 
tificate. When Bob receives the encrypted mail he contacts a third party, which 
we call the Private Key Generator (PKG). Bob authenticates himself to the PKG 
in the same way he would authenticate himself to a GA and obtains his private 
key from the PKG. Bob can then read his e-mail. Note that unlike the existing 
secure e-mail infrastructure, Alice can send encrypted mail to Bob even if Bob 
has not yet setup his public key certificate. Also note that key escrow is inherent 
in identity-based e-mail systems: the PKG knows Bob’s private key. We discuss 
key revocation, as well as several new applications for IBE schemes in the next 
section. 

Since the problem was posed in 1984 there have been several proposals for 
IBE schemes (e.g., IZESEBEH). However, none of these are fully satisfactory. 
Some solutions require that users not collude. Other solutions require the PKG 
to spend a long time for each private key generation request. Some solutions 

* Supported by DARPA contract F30602-99- 1-0530 and the Packard Foundation. 

** Supported by an NSF Career Award. 

J. Kilian (Ed.): CRYPTO 2001, LNCS 2139, pp. 213-[5^ 2001. 
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require tamper resistant hardware. It is fair to say that constructing a usable 
IBE system is still an open problem. Interestingly, the related notions of identity- 
based signature and authentication schemes, also introduced by Shamir [23, do 
have satisfactory solutions cmDi. 

In this paper we propose a fully functional identity-based encryption scheme. 
The performance of our system is comparable to the performance of ElGamal 
encryption in F*. The security of our system is based on a natural analogue 
of the computational Difhe-Hellman assumption on elliptic curves. Based on 
this assumption we show that the new system has chosen ciphertext security in 
the random oracle model. Using standard techniques from threshold cryptogra- 
phy im the PKG in our scheme can be distributed so that the master-key is 
never available in a single location. Unlike common threshold systems, we show 
that robustness for our distributed PKG is free. 

Our IBE system can be built from any bilinear map e : Gi x Gi — >■ G 2 
between two groups Gi , G 2 as long as a variant of the Gomputational Difhe- 
Hellman problem in Gi is hard. We use the Weil pairing on elliptic curves as 
an example of such a map. Until recently the Weil pairing has mostly been 
used for attacking elliptic curve systems Joux im recently showed that 

the Weil pairing can be used for “good” by using it in a protocol for three 
party one round Difhe-Hellman key exchange. Using similar ideas, Verheul m 
recently constructed an ElGamal encryption scheme where each public key has 
two corresponding private keys. In addition to our identity-based encryption 
scheme, we show how to construct an ElGamal encryption scheme with “built-in” 
key escrow, i.e., where one global escrow key can decrypt ciphertexts encrypted 
under any public key. 

To argue about the security of our IBE system we dehne chosen ciphertext 
security for identity-based encryption. Our model is slightly stronger than the 
standard model for chosen ciphertext security EMI . While mounting a chosen 
ciphertext attack on the public key ID, the attacker could ask the PKG for 
the private key of some public key ID^ ^ ID. This private key might help the 
attacker. Hence, during the chosen ciphertext attack we allow the attacker to 
obtain the private key for any public key of her choice other than the one on 
which the attacker is being challenged. Even with the help of such queries the 
attacker should have negligible advantage in defeating the semantic security of 
the system. 

The rest of the paper is organized as follows. Several applications of identity- 
based encryption are discussed in Section o We then give precise definitions 
and security models in Section 0 Basic properties of the Weil pairing - sufficient 
for an understanding of our constructions - are discussed in Section^. Our main 
identity-based encryption scheme is presented in Section^ Some extensions and 
variations (efficiency improvements, distribution of the master-key) are consid- 
ered in Section 121 Our construction for ElGamal encryption with a global escrow 
key is described in Section El Gonclusions and open problems are discussed in 
Section 0 
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1.1 Applications for Identity-Based Encryption 

The original motivation for identity-based encryption is to help the deployment 
of a public key infrastructure. In this section, we show several other unrelated 
applications. 



Revocation of Public Keys. Public key certificates contain a preset expira- 
tion date. In an IBE system key expiration can be done by having Alice encrypt 
e-mail sent to Bob using the public key: “bobOhotmail . com || current-year” . 
In doing so Bob can use his private key during the current year only. Once a 
year Bob needs to obtain a new private key from the PKG. Hence, we get the 
effect of annual private key expiration. Note that unlike the existing PKI, Alice 
does not need to obtain a new certificate from Bob every time Bob refreshes his 
certificate. 

One could potentially make this approach more granular by encrypting e-mail 
for Bob using “bobOhotmail . com || current-date” . This forces Bob to obtain 
a new private key every day. This might be feasible in a corporate PKI where 
the PKG is maintained by the corporation. With this approach key revocation 
is quite simple: when Bob leaves the company and his key needs to be revoked, 
the corporate PKG is instructed to stop issuing private keys for Bob’s e-mail 
address. The interesting property is that Alice does not need to communicate 
with any third party to obtain Bob’s daily public key. This approach enables 
Alice to send messages into the future: Bob will only be able to decrypt the 
e-mail on the date specified by Alice (see [2bl8| for methods of sending messages 
into the future using a stronger security model) . 



Delegation of Decryption Keys. Another application for IBE systems is 
delegation of decryption capabilities. We give two example applications. In both 
applications the user Bob plays the role of the PKG. Bob runs the setup algorithm 
to generate his own IBE system parameters params and his own master-key. Here 
we view params as Bob’s public key. Bob obtains a certificate from a GA for his 
public key params. When Alice wishes to send mail to Bob she first obtains Bob’s 
public key params and public key certificate. 

1. Delegation to a laptop. Suppose Alice encrypts mail to Bob using the 
current date as the IBE encryption key (she uses Bob’s params as the IBE 
system parameters). Since Bob has the master-key he can extract the private 
key corresponding to this IBE encryption key and then decrypt the message. 
Now, suppose Bob goes on a trip for seven days. Normally, Bob would put his 
private key on his laptop. If the laptop is stolen the private key is compromised. 
When using the IBE system Bob could simply install on his laptop the seven 
private keys corresponding to the seven days of the trip. If the laptop is stolen, 
only the private key for those seven days are compromised. The master-key is 
unharmed. This is analogous to the delegation scenario for signature schemes 
considered by Goldreich et al. m- 
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2. Delegation of duties. Suppose Alice encrypts mail to Bob using the subject 
line as the IBE encryption key. Bob can decrypt mail using his master-key. Now, 
suppose Bob has several assistants each responsible for a different task (e.g. 
one is ‘purchasing’, another is ‘human-resources’, etc.). Bob gives one private 
key to each of his assistants corresponding to the assistant’s responsibility. 
Each assistant can then decrypt messages whose subject line falls within its 
responsibilities, but it cannot decrypt messages intended for other assistants. 
Note that Alice only obtains a single public key from Bob (params), and she 
uses that public key to send mail with any subject line of her choice. The mail 
can only be read by the assistant responsible for that subject. 

More generally, IBE can simplify various systems that manage a large number 
of public keys. Rather than storing a big database of public keys the system 
can either derive these public keys from usernames, or simply use the integers 
1 , . . . , n as distinct public keys. 

2 Definitions 

Bilinear Map. Let Gi and G2 be two cyclic groups of order q for some large 
prime q. In our system, Gi is the group of points of an elliptic curve over Fp 
and G2 is a subgroup of F*2. Therefore, we view Gi as an additive group and 
G2 as a multiplicative group. A map e : Gi x Gi — >■ G2 is said to be bilinear 
if e(aP, bQ) = e(P, for all P, Q G Gi and all a, 6 G Z. As we will see 
in Section 0 the Weil pairing is an example of an efficiently computable non- 
degenerate bilinear map. 

Weil Diffie-Hellman Assumption (WDH). Our IBE system can be built from any 
bilinear map e : Gi x Gi — >■ G2 for which the following assumption holds: there 
is no efficient algorithm to compute e(P, P)“^° G G2 from P,aP,bP,cP G Gi 
where a,b,c G Z. This assumption is precisely defined in Section 0 We note that 
this WDH assumption implies that the Diffie-Hellman problem is hard in the 
group Gi. 

Identity-Based Encryption. An identity-based encryption scheme is specified by 
four randomized algorithms: Setup, Extract, Encrypt, Decrypt: 

Setup: takes a security parameter k and returns params (system parameters) and 
master-key. The system parameters include a description of a finite message 
space M, and a description of a finite ciphertext space C. Intuitively, the 
system parameters will be publicly known, while the master-key will be known 
only to the “Private Key Generator” (PKG). 

Extract: takes as input params, master-key, and an arbitrary ID G {0,1}*, and 
returns a private key d. Here ID is an arbitrary string that will be used as 
a public key, and d is the corresponding private decryption key. The Extract 
algorithm extracts a private key from the given public key. 

Encrypt: takes as input params, ID, and M G A4.lt returns a ciphertext C G C. 
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Decrypt: takes as input params, ID, C € C, and a private key d. It return 
M gM. 

These algorithms must satisfy the standard consistency constraint, namely when 
d is the private key generated by algorithm Extract when it is given ID as the 
public key, then 

VM G Ai : Decrypt(params, ID,C, d) = M where C = Encrypt(params, ID,M) 



Chosen ciphertext security. Chosen ciphertext security (IND-CCA) is the stan- 
dard acceptable notion of security for a public key encryption scheme E^ITP . 
Hence, it is natural to require that an identity-based encryption scheme also sat- 
isfy this strong notion of security. However, the definition of chosen ciphertext 
security must be strengthened a bit. The reason is that when an attacker attacks 
a public key ID in an identity-based system, the attacker might already possess 
the private keys of users IDi, . . . , ID„ of her choice. The system should remain 
secure under such an attack. Hence, the definition of chosen ciphertext security 
must allow the attacker to obtain the private key associated with any identity 
IDi of her choice (other than the public key ID being attacked). We refer to such 
queries as private key extraction queries. Another difference is that the attacker 
is challenged on a public key ID of her choice (as opposed to a random public 
key). 

We say that an identity-based encryption scheme is semantically secure 
against an adaptive chosen ciphertext attack (IND-ID-CCA) if no polynomially 
bounded adversary A has a non-negligible advantage against the Challenger in 
the following game: 

Setup: The challenger takes a security parameter k and runs the Setup algo- 
rithm. It gives the adversary the resulting system parameters params. It keeps 
the master-key to itself. 

Phase 1: The adversary issues queries qi, . . . ,qm where query qi is one of: 

- Extraction query (ID^). The challenger responds by running algorithm Extract 

to generate the private key di corresponding to the public key (IDJ. It sends 
di to the adversary. 

- Decryption query (IDi,(7i). The challenger responds by running algorithm 

Extract to generate the private key di corresponding to ID^. It then runs 
algorithm Decrypt to decrypt the ciphertext Ci using the private key di. It 
sends the resulting plaintext to the adversary. 

These queries may be asked adaptively, that is, each query qi may depend on 
the replies to qi, . . . , qi-\. 

Challenge: Once the adversary decides that Phase 1 is over it outputs two 
plaintexts Mq, Mi G A4 and an identity ID on which it wishes to be challenged. 
The only constraint is that ID did not appear in any private key extraction 
query in Phase 1. 

The challenger picks a random bit b G {0,1} and sets C = 
Encrypt(params, ID, Mb). It sends C as the challenge to the adversary. 
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Phase 2: The adversary issues more queries ^m+i, • ■ • , 9™ where query is one 
of: 

- Extraction query (IDJ where ID^ ^ ID. Challenger responds as in Phase 1. 

- Decryption query {\£>i,Ci) ^ (ID,C). Challenger responds as in Phase 1. 
These queries may be asked adaptively as in Phase 1. 

Guess: Finally, the adversary outputs a guess 6' S {0, 1}. The adversary wins 
the game if 6 = &'. 

We refer to such an adversary A as an IND-ID-CCA attacker. We define adversary 
^’s advantage in attacking the scheme as: Adv(^) = |Pr[6 = b'] — 

The probability is over the random bits used by the challenger and the adversary. 
We say that the IBE system is semantically secure against an adaptive chosen 
ciphertext attack (IND-ID-CCA) if no polynomially bounded adversary has a 
non-negligible advantage in attacking the scheme. As usual, “non-negligible” 
should be understood as larger than l/f{k) for some polynomial / (recall k is 
the security parameter). Note that the standard definition of chosen ciphertext 
security (IND-CCA) [2511 1 is the same as above except that there are no private 
key extraction queries and the attacker is challenged on a random public key 
(rather than a public key of her choice) . 

Private key extraction queries are related to the definition of chosen cipher- 
text security in the multiuser settings 0. After all, our definition involves mul- 
tiple public keys belonging to multiple users. In ^ the authors show that that 
multiuser IND-CCA is reducible to single user IND-CCA using a standard hybrid 
argument. This does not hold in the identity-based settings, IND-ID-CCA, since 
the attacker gets to choose which public keys to corrupt during the attack. To 
emphasize the importance of private key extraction queries we note that our IBE 
system can be easily modified (by removing one of the hash functions) into a 
system which has chosen ciphertext security when private extraction queries are 
disallowed. However, the scheme is completely insecure when extraction queries 
are allowed. 



One way identity-based encryption. The proof of security for our IBE system 
makes use of a weak notion of security called one-way encryption (OWE) f2|- 
OWE is defined for standard public key encryption schemes (not identity based) 
as follows: the attacker A is given a random public key Kpub and a ciphertext C 
which is the encryption of a random message M using Kp^b- The attacker’s goal 
is to recover the corresponding plaintext. It has advantage e in attacking the 
system if PT[A{Kpub, C) = M] = e. We say that the public key scheme is a one- 
way encryption scheme (OWE) if no polynomial time attacker has non-negligible 
advantage in attacking the scheme. See H2] for precise definitions. 

For identity-based encryption, we strengthen the definition as follows. We say 
that an IBE scheme is a one-way identity-based encryption scheme (ID-OWE) 
if no polynomially bounded adversary A has a non-negligible advantage against 
the Challenger in the following game: 
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Setup: The challenger takes a security parameter k and runs the Setup algo- 
rithm. It gives the adversary the resulting system parameters params. It keeps 
the master-key to itself. 

Phase 1: The adversary issues private key extraction queries IDi, . . . , ID^- The 
challenger responds by running algorithm Extract to generate the private key 
di corresponding to the public key ID^. It sends di to the adversary. These 
queries may be asked adaptively. 

Challenge: Once the adversary decides that Phase 1 is over it outputs a public 
key ID ^ IDi,...,ID„ on which it wishes to be challenged. The challenger 
picks a random M ^ M. and encrypts M using ID as the public key. It then 
sends the resulting ciphertext C to the adversary. 

Phase 2: The adversary issues more extraction queries ID^+i, . . . , ID„. The 
only constraint is that ID^ ^ ID. The challenger responds as in Phase 1. 
Guess: Finally, the adversary outputs a guess M' G A4. The adversary wins the 
game if M = M' . 

We refer to such an attacker A as an ID-OWE attacker. We define adversary’s 
^’s advantage in attacking the scheme as: Adv(^) = Pr[M = M']. The prob- 
ability is over the random bits used by the challenger and the adversary. Note 
that the definitions of OWE is the same as ID-OWE except that there are no 
private key extraction queries and the attacker is challenged on a random public 
key (rather than a public key of her choice) . 

3 Properties of the Weil Pairing 

The bilinear map e : Gi x Gi — >■ G 2 discussed in Section 0 is implemented via 
the Weil pairing. In this section we describe the basic properties of this pairing 
and the complexity assumption needed for the security of our system. To make 
the presentation concrete we consider a specific supersingular elliptic curve. In 
Section Owe describe several extensions and observations for our approach. The 
complete definition and algorithm for computing the pairing are given in the full 
version of the paper | 2 | . 

Let p be a prime satisfying p = 2 mod 3 and p = 6q — 1 for some prime q. Let 
E be the elliptic curve defined by the equation -I- 1 over Fp. We state a 

few elementary facts about this curve: 

Fact 1: Since x^ -I- 1 is a permutation on Fp it easily follows that E/¥p contains 
p-|-l points. We let O denote the point at infinity. Let P G E/Fp be a generator 
of the group of points of order q = (p+ l)/6. We denote this group by Gg. 
Fact 2: For any yo G S'p there is a unique point (xo,yo) on E/Fp. Hence, if 
(x,y) is a random non-zero point on E/Fp then y is uniform in Fp. We use 
this property to simplify the proof of security. 

Fact 3: Let 1 C S Fp 2 be a solution of x^ — 1 = 0 mod p. Then the map 
(j){x,y) = (Cx, y) is an automorphism of the group of points on the curve 
E. Note that when P = (x, y) G E/Fp we have that 4>{P) G if/Fp 2 , but 
</)(P) ^ E/Fp. Hence, P G E/Fp is linearly independent of />(P) G E/Fp 2 . 
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Fact 4: Since the points P and 4>{P) are linearly independent they generate a 
group isomorphic to Zq x Zg. We denote this group of points by E[q\. 

Let ^q be the subgroup of F *2 containing all elements of order q = {p + l)/6. 
The Weil pairing on the curve E/Wp 2 is a mapping e : E[q] x E[q] ^ pq. We 
define the modified Weil pairing e : Gq x Gq ^ pq to he: 

e{P,Q) = e{P,cj){Q)) 

The modified Weil pairing satisfies the following properties: 

1. Bilinear: For all P,Q G Gq and for all a,b G Z we have e{aP, bQ) = e(P, 

2. Non-degenerate: e(P, P) G Fp 2 is an element of order q, and in fact a generator 
of pLq. 

3. Computable: Given P,Q G Gq there is an efficient algorithm, due to Miller, to 
compute e(P, Q). This algorithm is described in j2j. Its run time is comparable 
to a full exponentiation in Fp. 

3.1 Weil DifRe-Hellman Assumption 

Joux and Nguyen HH| point out that although the Computational Difhe-Hellman 
problem (CDH) appears to be hard in the group Gq, the Decisional Difhe- 
Hellman problem (DDH) is easy in Gq. Observe that given P,aP,bP,cP G Gq 
we have 

c= ab mod q e(P, cP) = e(oP, hP) 

Hence, the modihed Weil pairing provides an easy test for Difhe-Hellman tuples. 
Consequently, one cannot use the DDH assumption to build cryptosystems in the 
group Gq. The security of our system is based on the following natural variant 
of the Computational Difhe-Hellman assumption. 

Weil Diffie-Hellman Assumption (WDH): Let p = 2 mod 3 be a k-hit prime and 
p= 6g — 1 for some prime q. Let E/¥p be the curve + 1 and let P G E/¥p 

be a point of order q. The WDH problem is as follows: Given (P, aP, bP, cP) for 
random a,b,c G Z* compute W = e(P, P)“^‘^ G Fp 2 . The WDH Assumption 
states that when p is a random /c-bit prime there is no probabilistic polynomial 
time algorithm for the WDH problem. An algorithm A has advantage e in solving 
WDH if Pr [A(P, aP, bP, cP) = e(P, P)“^'^] > e. Joux previously used an 
analogue of the WDH assumption to construct a one-round three party Difhe- 
Hellman protocol. Verheul m recently used a related hardness assumption. 

To conclude this section we point out that the discrete log problem in Gq is 
easily reducible to the discrete log problem in F *2 (see E2Cnj) . To see this observe 
that given P G Gq and Q = aP we can dehne g = e(P, P) and h = e{Q,P). 
Then h = g'^ and h,g G F* 2 . Hence, computing discrete log in F *2 is sufficient 
for computing discrete log in Gq. For proper security of discrete log in F* one 
often uses primes p that are 1024-bits long. Since we need discrete log in Gq to 
be difficult our system also uses primes p that are at least 1024-bits long. 
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4 Our Identity-Based Encryption Scheme 

We describe our scheme in stages. First we give a basic identity-based encryption 
scheme which is not secure against an adaptive chosen ciphertext attack. The 
only reason for describing the basic scheme is to make the presentation easier 
to follow. Our full scheme, described in Section O, extends the basic scheme to 
get security against an adaptive chosen ciphertext attack (IND-ID-CCA) in the 
random oracle model. 



4.1 MapToPoint 

Let p be a prime satisfying p = 2 mod 3 and p = 6q—l for some prime g > 3. Let 
E be the elliptic curve y'^ = x^ + 1 over Fp. Our IBE scheme makes use of a simple 
algorithm for converting an arbitrary string ID G {0, 1}* to a point Q,o G E/¥p 
of order q. We refer to this algorithm as MapToPoint. We describe one of several 
ways of doing so. Let G be a cryptographic hash function G : {0, 1}* — ?► Fp (in 
the security analysis we view G as a random oracle). Algorithm MapToPoint^ 
works as follows: 

1. Compute t/o = C(ID) and Sq = iUo ~ 1)^^^ = (j/o ~ modp. 

2. Let Q = (xo,2/o) S E/¥p. Set Q,o = 6Q. Then Qid has order q as required. 
This completes the description of MapToPoint. We note that there are 5 values 
of 2/0 S Fp for which 6Q = (xo,yo) = O (these are the non-O points of order 
dividing 6). When G(ID) is one of these 5 values Qio will not have order q. Since 
it is extremely unlikely for G(ID) to hit one of these five points, for simplicity 
we say that such ID’s are invalid. It is easy to extend algorithm MapToPoint to 
handle these five 2/0 values as well. 



4.2 Basicldent 

To explain the basic ideas underlying our IBE system we describe the following 
simple scheme, called Basicldent. We present the scheme by describing the four 
algorithms: Setup, Extract, Encrypt, Decrypt. We let k be the security parameter 
given to the setup algorithm. 

Setup: The algorithm works as follows: 

Step 1: Choose a large /c-bit prime p such that p = 2 mod 3 and p = 6g — 1 for 
some prime g > 3. Let E be the elliptic curve defined hy y'^ = x^ + 1 over 
Fp. Choose an arbitrary P G E/¥p of order g. 

Step 2: Pick a random s £ Z* and set Ppuh = sP. 

Step 3: Choose a cryptographic hash function El : Fp2 — >■ {0, 1}" for some 
n. Choose a cryptographic hash function G: {0,1}*— :>Fp. The security 
analysis will view H and G as random oracles. 

The message space is M = {0, 1}". The ciphertext space is C = E/¥p x (0, 1}". 
The system parameters are params = {p,n,P,Ppub,G,H). The master-key is 
S G Zq. 



222 D. Boneh and M. Franklin 

Extract: For a given string ID G {0, 1}* the algorithm builds a private key d as 
follows: 

Step 1: Use MapToPointg to map ID to a point Q^o G E/Vp of order q. 

Step 2: Set the private key d,o to be d,o = sQid where s is the master key. 
Encrypt: To encrypt M G M under the public key ID do the following: (1) 
use MapToPointg to map ID into a point Q,o G E/¥p of order q, (2) choose a 
random r G Zg, and (3) set the ciphertext to be 

C = {rP, M © where g,o = e{Q,o, Ppub) G F ^2 

Decrypt: Let C = (C/, U) G C be a ciphertext encrypted using the public key 
ID. If [/ G E/¥p is not a point of order q reject the ciphertext. Otherwise, to 
decrypt C using the private key diD compute: 

V ® H{e{d,o,U)) = M 

This completes the description of Basicldent. We first verify consistency. When 
everything is computed as above we have: 

1. During encryption M is Xored with the hash of: 

2. During decryption V is Xored with the hash of: e(dio, U). 

These masks used during encryption and decryption are the same since: 

e{d,D,U) = e{sQto,rP) = e(Q,D,P)^’' = e{Qto,PpubY = 5id 

Thus, applying decryption after encryption produces the original message M 
as required. We note that there is no need to devise attacks against this basic 
scheme since it is only presented for simplifying the exposition. The next section 
describes the full scheme. 

Performance. Algorithms Setup and Extract are very simple algorithms. At the 
heart of both algorithms is a standard multiplication on the curve E/¥p. Algo- 
rithm Encrypt requires that the encryptor compute the Weil pairing of Qid and 
Ppub- Note that this computation is independent of the message, and hence can 
be done once and for all. Once ^id is computed the performance of the system is 
almost identical to standard ElGamal encryption. We also note that the cipher- 
text length is the same as in regular ElGamal encryption in Fp. Decryption is a 
simple Weil pairing computation. 

Security. Next, we study the security of this basic scheme. The following theorem 
shows that the scheme is a one-way identity based encryption scheme (ID-OWE) 
assuming WDH is hard. 

Theorem 1. Let the hash functions iJ, G be random oracles. Suppose there is an 
ID-OWE attacker A that has advantage e against the scheme Basicldent. Suppose 
A make at most qs > 0 private key extraction queries and qn > 0 hash queries. 
Then there is an algorithm B for computing WDH with advantage at least 
e{i+qg;).qu ~ qn- 2 ^ ' 6 ~ 2.71 is thc basc of the natural logarithm. The 

running time of B is 0{time{A)) . 
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To prove the theorem we need to define a related Public Key Encryption 
scheme (not an identity scheme), called PubKeyEnc. PubKeyEnc is described by 
three algorithms: keygen, encrypt, decrypt, 
keygen: The algorithm works as follows: 

Step 1: Choose a large /c-bit prime p such that p = 2 mod 3 and p = 6q — 1 
for some prime g > 3. Let E be the elliptic curve defined by -I- 1 

over Fp. Choose an arbitrary P £ E/¥p of order q. 

Step 2: Pick a random s £ Z* and set Ppub = sP. 

Pick a random point Qid G E/¥p of order q. Then Q,a is in the group 
generated by P. 

Step 3: Choose a cryptographic hash function H : Fp 2 — >• {0, 1}” for some n. 
Step 4: The public key is (p, n, P, Ppub, Qid, H). The private key is d|D = sQ,d- 
encrypt: To encrypt M £ {0, 1}" choose a random r G and set the ciphertext 
to be: 

C = {rP, M © H{g'")) where g = e{Q,o, Ppub) G Fp 2 

decrypt: Let C = (U,V) G C he a, ciphertext encrypted using the public key 
(p, n, P, Ppub, Qid, H). To decrypt C using the private key compute: 

V ® H{e{d,^,U)) = M 

This completes the description of PubKeyEnc. We now prove Theorem ^ in two 
steps. We first show that an ID-OWE attack on Basicldent can be converted to a 
OWE attack on PubKeyEnc. This step shows that private key extraction queries 
do not help the attacker. We then show that PubKeyEnc is OWE if the WDH 
assumption holds. The proofs of these two lemmas appear in the full version of 
the paper P]. 

Lemma 1. Let G be a random oracle from {0, 1}* to Fp. Let A be an ID-OWE 
attacker that has advantage e against Basicldent. Suppose A makes at most 
qE > 0 private key extraction queries. Then there is a OWE attacker B that 
has advantage e/ e{l + qE) against PubKeyEnc. Lts running time is 0{time{A)). 



Lemma 2. Let H be a random oracle from Fp 2 to {0, 1}”. Let A be a OWE 
attacker that has advantage e against PubKeyEnc. Suppose A makes a total of 
qn > 0 queries to H . Then there is an algorithm B that solves the WDH problem 
with advantage at least (e — -^)/qH and a running time 0{time{A)) . 

Proof of Theorem IB The theorem follows directly from Lemma [D and 
Lemma 0 Composing both reductions shows that an ID-OWE attacker on 
Basicldent with advantage e gives an algorithm for WDH with advantage 
(e/e(l + qE) — l/2")/g//, as required. □ 
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4.3 Identity-Based Encryption with Chosen Ciphertext Security 

We use a technique due to Fujisaki-Okamoto [121 to convert the Basicldent 
scheme of the previous section into a chosen ciphertext secure IBE system (in the 
sense of Section 13) in the random oracle model. Let £" be a public key encryption 
scheme. We denote by Spk{M;r) the encryption of M using the random bits r 
under the public key pk. Fujisaki-Okamoto define the hybrid scheme as: 






£pk{(j; Hi{a,M)) 



Gi(cr) 0 M 



Here a is generated at random and Hi,G\ are cryptographic hash functions. 
Fujisaki-Okamoto show that if f is a one-way encryption scheme then £^^ is a 
chosen ciphertext secure system (IND-CCA) in the random oracle model (assum- 
ing £pk satisfies some natural constraints). 

We apply this transformation to Basicldent and show that the resulting IBE 
system is IND-ID-CCA. We obtain the following IBE scheme which we call Fu Ill- 
dent. Recall that n is the length of the message to be encrypted. 

Setup: As in the Basicldent scheme. In addition, we pick a hash function Hi : 
{0, 1}" X {0, 1}" — >■ Fq, and a hash function G\ : {0, 1}” — >■ {0, 1}". 

Extract: As in the Basicldent scheme. 

Encrypt: To encrypt M G {0, 1}" under the public key ID do the following: (1) 
use algorithm MapToPointg to convert ID into a point Qid G E/Fp of order 
g, (2) choose a random a G {0,1}”, (3) set r = Hi{a,M), and (4) set the 
ciphertext to be 

G = {rP, a © iL(g,c), M © Gi(cr)) where g,o = e(Q,D, Ppub) £ Fp 2 

Decrypt: Let C = {U, V, W) G C be a ciphertext encrypted using the public 
key ID. liU G E/Wp is not a point of order q reject the ciphertext. To decrypt 
G using the private key do: 

1. Compute V © H{e{d,D, U)) = a. 

2. Compute W © Gi(cr) = M. 

3. Set r = Hi{a, M). Test that U = rP. If not, reject the ciphertext. 

4. Output M as the decryption of G. 

This completes the description of Fullldent. Note that M is encrypted as W = 
M ©Gi(cr). This can be replaced hy W = where E is a semantically 

secure symmetric encryption scheme (see |I12|L 



Security. The following theorem shows that Fullldent is a chosen ciphertext se- 
cure IBE (i.e. IND-ID-CCA), assuming WDH is hard. 

Theorem 2. Let A be a t-time IND-ID-CCA attacker on Fullldent that achieves 
advantage e. Suppose A makes at most qe extraction queries, at most qo decryp- 
tion queries, and at most qH,gGi,<lHi queries to the hash functions H,Gi,H\ 
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respectively. Then there is a ti-time algorithm for WDH that achieves advantage 
Cl where 



t\ — TOtime(,t j ^ 

Cl = (^FOadv{<^{-^ - ^), 9 Gi, <lHi, qo) - 1 / 2 "-^ /qn 
where the functions FOume rind FOadv rire defined in Theorem, Ul\ 

The proof of the theorem is based on the theorem below due to Fujisaki and 
Okamoto (Theorem 14 in ^2])- We state their theorem as it applies to the public 
key encryption scheme PubKeyEnc of the previous section. Let PubKeyEnc^*' be 
the result of applying the Fujisaki-Okamoto transformation to PubKeyEnc. 

Theorem 3 (FO). Suppose there is a {t,qci,qHnqD) IND-CCA attacker that 
achieves advantage e when attacking PubKeyEnc^^. Then there is a (ti,ei) OWE 
attacker on PubKeyEnc where 

ti = FOtime{t,qGi,qHi) =t + 0((gGi +9ffi) -n), and 

£i = FOadv(e,qGi,qHi,qD) = 3- r [(e+ 1)(1 - 2/g)'^^ - 1] 

2(9Gi + 

We also need the following lemma to translate between an IND-ID-CCA cho- 
sen ciphertext attack on Fullldent and an IND-CCA chosen ciphertext attack on 
PubKeyEnc^^. The proof appears in the full version of the paper |2|. 

Lemma 3. Let A be an IND-ID-CCA attacker that has advantage e against the 
IBE scheme Fullldent. Suppose A makes at most qe > 0 private key extraction 
queries and at most qo decryption queries. Then there is an IND-CCA attacker 

B that has advantage at least e{— — ) against PubKeyEnc^^. Its running time 

is 0{time{A)). 

Proof of Theorem ^ By Lemma |3 an IND-ID-CCA attacker on Fullldent 
implies an IND-CCA attacker on PubKeyEnc^^. By Theorem 0 an IND-CCA 
attacker on PubKeyEnc^^ implies a OWE attacker on PubKeyEnc. By Lemma 0 
a OWE attacker on PubKeyEnc implies an algorithm for WDH. Composing all 
these reductions gives the required bounds. □ 



5 Extensions and Observations 

Tate pairing and other curves. Our IBE system has some flexibility in terms 
of the curves being used and the definition of the pairing. For example, one 
could use the curve y^ = + x with its endomorphism <j) : (x, y) — >■ {—x, iy) 

where = —1. We do not explore this here, but note that both encryption and 
decryption in Fullldent can be made faster by using the Tate pairing. In general, 
one can use any efficiently computable bilinear pairing e : Gi x Gi — > G 2 
between two groups Gi, G 2 as long as the WDH assumption holds. One would 
also need a way to map identities in {0, 1}* uniformly onto Gi. 
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Distributed PKG. In the standard use of an IBE in an e-mail system the 
master-key stored at the PKG must be protected in the same way that the pri- 
vate key of a CA is protected. One way of protecting this key is by distributing 
it among different sites using techniques of threshold cryptography Our 
IBE system supports this in a very efficient and robust way. Recall that the 
master-key is some s S Fg. in order to generate a private key the PKG com- 
putes Qpriv = sQio, where Qid is derived from the user’s public key ID. This can 
easily be distributed in a t-out-of-n fashion by giving each of the n PKGs one 
share Si of a Shamir secret sharing of s mod q. When generating a private key 
each of the t chosen PKGs simply responds with = SiQio- The user can 

then construct Qpriv as Qpriv = X) ^iQpIiv where the A^’s are the appropriate 
Lagrange coefficients. 

Furthermore, it is easy to make this scheme robust against dishonest PKGs 
using the fact that DDH is easy in Gq (the group generated by P). During 
setup each of the n PKGs publishes Pp(j^ = SiP. During a key generation 
request the user can verify that the response from the Pth PKG is valid by 
testing that: 

e{Q^;Lp) = mo,pii) 

Thus, a misbehaving PKG will be immediately caught. There is no need for 
zero-knowledge proofs as in regular robust threshold schemes. The PKG’s 
master-key can be generated in a distributed fashion using the techniques 
of [T^. 

Note that a distributed master-key also enables decryption on a per-message 
basis, without any need to derive the corresponding decryption key. For exam- 
ple, threshold decryption of Basicldent ciphertext {U, V) is straightforward if 
each PKG responds with e{siQuj, U). 

Working in subgroups. The performance of our IBE system can be improved 
if we work in a small subgroup of the curve. For example, choose a 1024-bit 
prime p = 2 mod 3 with p = aq — 1 for some 160-bit prime q. The point P 
is then chosen to be a point of order q. Each public key ID is converted to a 
group point by hashing I D to a point Q on the curve and then multiplying the 
point by a. The system is secure if the WDH assumption holds in the group 
generated by P. The advantage is that Weil computations are done on points 
of small order, and hence is much faster. 

IBE implies signatures. Moni Naor has observed that an IBE scheme can 
be immediately converted into a public key signature scheme. The intuition 
is as follows. The private key for the signature scheme is the master key for 
the IBE scheme. The public key for the signature scheme is the global system 
parameters for the IBE scheme. The signature on a message M is the IBE 
decryption key for ID = M. To verify a signature, choose a random message 
M' , encrypt M' using the public key ID = M, and then attempt to decrypt 
using the given signature on M as the decryption key. If the IBE scheme is 
IND-ID-GGA, then the signature scheme is existentially unforgeable against 
a chosen message attack. Note that, unlike most signature schemes, the sig- 
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nature verification algorithm here is randomized. This shows that secure IBE 
schemes require both public key encryption and digital signatures. We note 
that the signature scheme derived from our IBE system has some interesting 
properties |3- 

6 Escrow ElGamal Encryption 

In this section we note that the Weil pairing enables us to add a global escrow 
capability to the ElGamal encryption system. A single escrow key enables the 
decryption of ciphertexts encrypted under any public key. Paillier and Yung 
have shown how to add a global escrow capability to the Paillier encryption 
system m- Our ElGamal escrow system works as follows: 

Setup: The algorithm works as follows: 

Step 1: Ghoose a large /c-bit prime p such that p = 2 mod 3 and p = 6q — l for 
some prime g > 3. Let E be the elliptic curve defined hy ip' = -\- 1 over 

Fp. Ghoose an arbitrary P G E/¥p of order q. 

Step 2: Pick a random s Ghq and set Q = sP. 

Step 3: Ghoose a cryptographic hash function H : F ^2 — >• {0, 1}”. 

The message space is M = {0, 1}". The ciphertext space is C = E/¥p x {0, 1}". 
The system parameters are params = {p, n, P, Q, H). The escrow key is s S 
keygen: A user generates a public/private key pair for herself by picking a 
random x G hq and computing Ppub = xP. Her private key is x, her public 
key is Ppub- 

Encrypt: To encrypt M G {0,1}" under the public key Ppub do the following: 
(1) pick a random r Glq^ and (2) set the ciphertext to be: 

C = {rP, M © H(g’')) where g = e{Ppub, Q) G F ^2 

Decrypt: Let C = (U,V) be a ciphertext encrypted using Ppub- HUG E/¥p 
is not a point of order q reject the ciphertext. To decrypt C using the private 
key X do: 

V (B H{e{U,xQ)) = M 

Escrow-decrypt: To decrypt C = {U, V) using the escrow key s do: 

V BH{e{U,sPpub))=M 

A standard argument shows that assuming WDH the system has semantic 
security in the random oracle model (recall that since DDH is easy we cannot 
prove semantic security based on DDH). Yet, the escrow agent can decrypt any 
ciphertext encrypted using any user’s public key. The decryption capability of the 
escrow agent can be distributed using the PKG distribution techniques described 
in Section 0 

Using a similar hardness assumption, Verheul m has recently described 
an ElGamal encryption system with non-global escrow. Each user constructs a 
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public key with two corresponding private keys, and gives one of the private keys 
to the trusted third party. Although both private keys can be used to decrypt, 
only the user’s private key can be used simultaneously as the signing key for a 
discrete logarithm based signature scheme. 



7 Summary and Open Problems 

We defined chosen ciphertext security for identity-based systems and proposed 
a fully functional IBE scheme. The scheme has chosen ciphertext security in 
the random oracle model assuming WDH, a natural analogue of the compu- 
tational Difhe-Hellman problem. The WDH assumption deserves further study 
considering the powerful cryptosystems derived from it. For example, it could 
be interesting to see whether the techniques of izni can be used to prove that 
the WDH assumption is equivalent to the discrete log assumption on the curve 
for certain primes p. 

It is natural to try and build chosen ciphertext secure identity based systems 
that are secure under standard complexity assumptions (rather than the ran- 
dom oracle model). One might hope to use the techniques of Cramer-Shoup jS] 
to provide chosen ciphertext security based on DDH. Unfortunately, as men- 
tioned in Section El the DDH assumption is false in the group of points on the 
curve E. However, a natural variant of DDH does seem to hold. In particular, 
the following two distributions appear to be computationally indistinguishable: 
{P, aP, bP, cP, abcP) and {P, aP, bP, cP, rP) where a, b, c, r are random in Zg. We 
refer to this assumption as WDDH. It is natural to ask whether there is a chosen 
ciphertext secure identity-based system strictly based on WDDH. Such a scheme 
would be the analogue of the Cramer-Shoup system. 
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Abstract. An adaptive chosen ciphertext attack against PKCS 
v2.0 RSA OAEP encryption is described. It recovers the plaintext - not 
the private key - from a given ciphertext in a little over log 2 n queries 
of an oracle implementing the algorithm, where n is the RSA modulus. 
The high likelihood of implementations being susceptible to this attack 
is explained as well as the practicality of the attack. Improvements to 
the algorithm to defend against the attack are discussed. 

Keywords: chosen ciphertext attack, RSA, OAEP, PKCS 



1 Introduction 

At CRYPTO ’98 Daniel Bleichenbacher presented an adaptive chosen cipher- 
text attack against PKCS #1 vl.5 RSA block type 2 padding Q. The attack 
needs roughly one million oracle queries to succeed for a 1024-bit RSA key. He 
concluded that RSA encryption should include an integrity check and that the 
phase between decryption and integrity verification is crucial, because any infor- 
mation leaking from this phase can present a security risk. Version 2.0 of PKCS 
introduced a new algorithm RSAES- OAEP that uses Optimal Asymmetric 
Encryption Padding (OAEP) to counteract this attack P]|S|. It says, “a chosen 
ciphertext attack is ineffective against a plaintext-aware encryption scheme such 
as RSAES-OAEP”. However, the design of RSAES-OAEP makes it highly likely 
that implementations will leak information between the decryption and integrity 
check operations making them susceptible to a chosen ciphertext attack that re- 
quires many orders of magnitude less effort than similar attacks against PKCS 
vl.5 block type 2 padding. The attack needs roughly one thousand oracle 
queries to succeed for a 1024-bit RSA key. 

Section 2 summarizes RSA Optimal Asymmetric Encryption Padding as de- 
fined in PKCS #1 v2.0 . 0 Section 3 describes a chosen ciphertext against this 
algorithm. Section 4 explores the practicality of the assumptions necessary for 

^ The same algorithm is standardized in IEEE 1363, where the relevant message en- 
coding method for encryption is called EMEl 

J. Kilian (Ed.): CRYPTO 2001, LNCS 2139, pp. 230- 1^1^ 2001. 
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the attack to proceed. Section 5 discusses approaches for changing the algorithm 
or its implementation to prevent the attack and restore the intended security 
properties. 



2 RSAES-OAEP 

RSAES-OAEP encryption starts by encoding a seed, a hash, padding octets and 
the secret (typically a session key) into an octet string. Masking operations ef- 
fectively randomize these octets before they are treated as the unsigned binary 
representation of an integer ~ the integer used in the RSA modular exponenti- 
ation operation. The number of padding octets is chosen so that the encoding 
consumes one less octet than required for a unsigned binary representation of 
the modulus. This ensures the integer is less than the modulus as required in 
RSA. Alteratively, the encoded messages can be considered as an octet string 
the same length as the modulus, but with the most significant octet set to ‘OO’h. 

Figure G] shows the RSAES-OAEP decryption and decoding process. The 
ciphertext is converted to the plaintext by modular exponentiation with the 
private exponent followed by integer-to-octet translation. A mask generation 
function (MGF) uses the least significant portion of the plaintext to unmask 
the seed. A mask generated from the seed unmasks a hash, padding and the 
confidential message. The integrity of the ciphertext is verified by comparing 
the unmasked hash to an independently calculated hash of the parameters (and 
by checking the padding). 




Fig. 1. RSAES-OAEP Decoding 
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After the private key operation the decryption operation can fail in the 
integer-to-octet translation (e.g. the integer is too large to fit in one fewer octets 
than the modulus) or in the OAEP-decoding (e.g. integrity check fails). In both 
instances PKCS v2.0 says to output “decryption error” and stop. 



3 Chosen Ciphertext Attack 



Let n be an RSA modulus, with e and d the public and private exponents 
respectively. Let k = |"log 256 n] be the byte length of n and let B = 

Assume an attacker knows the public key (n, e) and has access to an oracle 
that for any chosen ciphertext x indicates whether the corresponding plaintext 
y = x‘^ (mod n) is less than B or not — returning “y < S” or “y > B”. For 
the last assumption to hold it is sufficient for the oracle to distinguish a failure 
in the integer-to-octets conversion (in which case “y > B” is returned) from any 
subsequent failure, e.g. of the integrity check. 

The attacker wishes to determine the plaintext m = (mod n) corre- 
sponding to a captured ciphertext c. The basic step is to choose a multiple / 
and send • c (mod n) to the oracle. This ciphertext corresponds to the plain- 
text / • m. 0 The oracle indicates if this is in the range [0, B) or {B, n) modulo 
n, thus providing a mathematical relationship about m that reduces the range 
(or ranges) in which it must lie. The aim is to reduce this range with successive 
oracle queries until just one value is left — m. 

The approach of the attack described in this paper is to choose values of / 
such that the range where / • m could lie spans exactly one boundary between 
a region where f ■ m < B (mod n) and a region where f ■ m > B (mod n). 
The oracle response narrows the range to one of these regions. 

Initially we know m G [0,B), as all valid messages are in this range by 
construction. One point to note is that since m < B there is always a multiple 
of m that lies in any region of width B. For instance, for any integer i there is 
always some integer / such that f ■ m G [in, in + B). 

The following attack assumes 2B < n. This assumption will usually be sat- 
isfied as RSA moduli are typically chosen to be exact multiples of 8 bits long 
making n between 128 and 256 times larger than B. Situations where this as- 
sumption does not hold are discussed toward the end of this section. 



Step 1: Try multiples of 2, 4, 8, . . . 2*, . . . in turn until the oracle returns “> B”. 
For each multiple fi the possible values of fi ■ m span a single boundary point 
at B. 

1.1 We know m G [0, B). Let fi = 2. 

1.2 So /i • m G [0,2B). Try fi with the oracle, i.e. send /f • c (mod n). 

^ Any number less than B encoded into k octets will start with a ‘OO’h octet. 

3 {r ■cY = r’^-c'^ = f-m (mod n) 
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1.3a If the oracle indicates “< B”: 

This implies fi-m€ [0, B), so 2/i ■ m € [0, 2B). 

Set fi -ir- 2/i and go back to step 1.2. 

1.3b If the oracle indicates “> B: 

This implies fi G [B,2B) for a known (even) multiple /i. Rephrasing this 
gives ^ • TO G [^, B) for a known multiple Now move to the next step. 

Step 2: Start with a multiple /2 such that /2 • to is just less than n + B for 
the maximum possible to. Keep increasing this multiple until the oracle returns 
“< R” . For each multiple /2 the possible values of /2 • to span a single boundary 
point at n. 

2.1 We have ^ ■ m e [^,B). Let /2 = 

2.2 So /2 • TO G [f , n + R). Try /2 with the oracle. 

2.3a If the oracle indicates “> S”: 

This implies /2 • to G [f ,n), so (/2 + "y) • w G [f ,n + B). 

Set f 2 f 2 + ^ and go back to step 2.2. 

2.3b If the oracle indicates “< R”: 

This implies f 2 ‘ m G [n,n + B) for a known multiple / 2 . Now move to the 
next step. 

As /2 increases at iterations through step 2.3a the lower bound on f 2 ■ m 
increases, eventually exceeding n when /2 = |"^] • Branch 2.3b must occur 
at or before this multiple. That is, step 2 will always terminate — taking at most 
[ oracle queries. 

Step 3: Try multiples /s that give a range for /a • to about 2B integers wide 
and spanning a single boundary point. Each oracle response will half the range 
back to a width of about B integers, so the next multiple is approximately twice 
the previous value. 

3.1 We have /2 • to G [n,n + B). 

Rephrasing, we have a multiple /2 and a range [TOminj Wmax) of possible to 
values, where TOmin = 1 , TOmax = and /2 • (to max ^min) ~ B. 

3.2 Choose a multiple /tmp such that the width of /tmp • w is approximately 
2B. 

/tmp = I — I • This value is about double the previous multiple. 

3.3 Select a boundary point, in B, near the range of /tmp * 

• I /tmp '^min I 

L n J ■ 

3.4 Choose a multiple /a such that /a • to spans a single boundary point at 
in + B. 

/s = r 1 • This gives fz ■ m G [in, in + 2B) (though the upper bound 
is only approximate), /a is approximately equal to /tmp- Try /a with the 
oracle. 

3.5a If the oracle indicates “> R”: 

This implies /a • to G [in + B, in + 2B). 

Set TOmin ^ go back to step 3.2. 
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3.5b If the oracle indicates “< B”: 

This implies fs-mG [in, in + B). 

Set minax t— L J go back to step 3.2. 

Each answer from the oracle in step 3 selects either the top or bottom half 
(approximately) of the /a • m range, halving the range of possible m values. 
Eventually the range in which m lies narrows to a single number, which is the 
desired plaintext. At this point fs^B = 

The description of step 3 above does not provide a proof that those particular 
choices of multiples, boundary points and interval widths will always work for 
any key or message. Minor variations on these choices can make the attack 
algorithm marginally more efficient. See ^ more mathematically rigorous 

analysis of a closely related problem. 



3.1 Complexity 

Steps 1 and 3 approximately halve the range of possible m values with each 
iteration so between them they take about log 2 B = 8{k — 1) oracle queries. El 
Step 2 takes at most [g] oracle queries (which must be < 256), and half this 
number on average. 

RSA moduli are typically chosen to be exact multiples of 8 bits long, e.g. 
1024-bit moduli are far more prevalent than, say, 1021-bit moduli. Hence, for 
typical keys |"^] is in the range (128, 256], so step 2 will typically take on the 
order of 100 oracle queries. 

For a 1024-bit RSA key the attack requires about 1100 oracle queries, for a 
2048-bit key about 2200. 

3.2 When n < 2B 

The attack procedure described above assumes 2B < n. If this is not the case, 
an indication from the oracle of “< i?” when / = 2 narrows the range in which 
/ • m lies not to a single region, but to a pair of regions: f ■ m G [0, H) |J[n, 2B). 
The range in which m is known to lie is reduced is total size, but is no longer 
confined to a single interval. This somewhat complicates the decision about 
which multiples to try but an adaptive chosen ciphertext attack will still work. 
The chosen ciphertext attack against RSA block type 2 padding had a similar 
issue — see P for a full analysis. 

3.3 Comparison to the RSA Block Type 2 Attack 

Analysis in ^ of the number of oracle queries required for a chosen ciphertext 
attack found an expression with two terms: the first term inversely proportional 

^ Reduction of the range of possible m values in step 2 slightly reduces the number of 
oracle queries required during steps 1 and 3, but this number also slightly increases 
(by a few percent) as the ranges in step 3 not being exactly centred on boundary 
points. 
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to the probability that a random integer from [0, n) conforms to the encoding 
format; the second term proportional to log 2 n. The first term dominates for RSA 
block type 2 padding (making the number of required queries quite dependent 
on various implementation issues, i.e. how the encoding format is checked). For 
RSAES-OAEP the first term corresponds to the number of oracle queries in step 
2, which is an order of magnitude less than the second term. 



4 Likelihood of Susceptibility 

The chosen ciphertext attack described in the previous section starts with an 
assumption that the attacker can distinguish a failure in the integer-to-octets 
conversion from any subsequent failure, e.g. of the integrity check during OAEP- 
decoding. PKCS #1 v2.0, however, recognizes this risk by explicitly stating 
”it is important that the error messages output in steps 4 [integer-to- octets 
conversion] and 5 [OAEP decoding] be the same” . 0 This section investigates why, 
in spite of this statement, it is likely that many RSAES-OAEP implementations 
will be susceptible to chosen ciphertext attack. 



4.1 Spelling 

Simply misspelling a word, including a full-stop or starting with a capital letter 
at one point is sufficient to distinguish two error messages that are otherwise the 
same. Having to relying for security on the absence of any such trivial occurrence 
in an implementation should not be necessary. 



4.2 Logs 

Even when a system avoids revealing error details in, say, its protocol response 
it is likely to reveal more detailed error descriptions in its logs.H “Integer too 
large” and “decoding error” - included in PKCS v2.0 as error messages 
from sub-routines used by RSAES-OAEP - are just the sort of details a log may 
contain yet their presence is sufficient for the attack to proceed. Requiring access 
to system logs clearly lessens the risk of an attack but it is still an attack that 
must be considered. Logs are typically available to a much larger set of people 
than have direct access to a private key and logs will be given less protection 
(and should not be required to have the same protection as a private key). 

® PKCS v2.0, section 7.1.2 Decryption operation, last paragraph. 

® Divulging less detail and only very general error indications is a well-known secnrity 
technique, but it does come at a cost. Less information for an attacker also means 
less information for developers, support staff and users to understand the state of a 
system and respond appropriately. 
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4.3 Other Error Conditions 

There are many possible errors that are not mentioned in the definition of 
RSAES-OAEP in PKCS #1 v2.0. This seems sensible as most are implementa- 
tion issues but it becomes problematic when, due to the algorithm’s design, these 
errors can have serious security implications. Consider what could happen when 
an unsupported mask generation function (MCE) is specified (by the attacker, 
along with his chosen ciphertext). Though not explicitly considered in PKCS 
^1, some sort of error must result, say “unsupported algorithm”, and it may 
not be detected until the MCE is first used - in the OAEP-decoding stage. Any 
indication that the OAEP-decoding stage has been reached, however, is sufficient 
for the attack to proceed as it implies the previous integer-to-octet conversion 
stage was successful, i.e. plaintext < B. 

4.4 Timing 

Even identical error responses can be distinguished if they take different amounts 
of time to occur. For instance, detecting an integrity error during OAEP- 
decoding takes at least the time of two mask generation operations longer than 
detecting an error in the integer-to-octet conversion. Though this time difference 
may be small compared to the total response time (e.g. the modular exponen- 
tiation is likely to take much longer) it is still likely to be measurable, even if 
extra oracle queries and statistical analysis have to be employed. 

RSAES-OAEP offers an even bigger target for a timing attack. The integrity 
check compares a hash from the OAEP-decoding to a locally calculated hash 
of the parameters. The parameters can be an octet string of arbitrary length 
chosen by the attacker. The hash is only needed in the OAEP-decoding stage 
and it is reasonable to assume many implementations would calculate it during 
this stage (as the standard suggests), but this point is after the integer-to-octet 
conversion. An attacker can achieve whatever time difference he or she requires 
to distinguish the relevant error sources by using a sufficiently large octet string 
for the parameters — set the parameters to be 10MB long and do the attack 
with a wristwatch. 

This use of the hash operation to attack RSAES-OAEP illustrates the al- 
gorithm’s fragile nature. The hash does not involve the private key or the se- 
cret in the plaintext at all, so even a diligent implementer is unlikely to expect 
its operation to impact the security. Performing the hash operation before the 
integer-to-octet conversion eliminates its usefulness in a timing attack. 

4.5 Summary 

An algorithm that relies on identical responses to errors (despite their disparate 
sources), no access to logs, a specific (undocumented and not obvious) order of 
sub-tasks and attention to timing must be considered quite fragile. Though it is 
possible some implementations of RSAES-OAEP will be immune, it is quite likely 
that many others will be susceptible to the chosen ciphertext attack described in 
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this paper. To some degree RSAES-OAEP achieves security through obscurity 
— obscurity of the source of errors, of implementation details and of timing 
information. Obscurity, however, is widely recognized as a poor principle for 
designing an algorithm. 

5 Directions towards a Solution 

The attack relies on distinguishing different actions of the oracle resulting from 
a decision about the structure of the plaintext. This suggests two possible ap- 
proaches for a solution: ensure the actions are indistinguishable; or avoid any 
decision based on the structure of the plaintext. The former approach uses obscu- 
rity to achieve security, while the latter approach offers better hope of reducing 
the security dependence on seemingly innocuous implementation choices. 

PKCS v2.0 makes a basic effort at obscurity by outputting the same error 
message for all identified errors. PKCS #1 v2.1 draft 2 enhances this effort by 
noting that errors from integer-to-octet conversion and OAEP-decoding must be 
indistinguishable and, importantly, that execution time must not reveal which 
error occurred 0 0 

A naive solution for avoiding a decision about the structure of the plaintext 
is to simply ignore its structure, i.e. ignore its most significant octet (after con- 
verting integer m to k octets) . Ignoring this octet during decryption allows it to 
be set to any value (e.g. a random value) during encryption (subject to the re- 
striction TO < n) . As it stands, however, this is not a good solution because these 
modifications mean the algorithm is no longer plaintext-aware — destroying the 
security proof that OAEP offered. An operation on a ciphertext that only al- 
tered the most significant octet of the corresponding plaintext would produce a 
different, but still valid, ciphertext without requiring knowledge of the plaintext. 
How to perform such an operation is an open question (at least to the author), 
as is the question of how such an ability would affect security in practice. 

Another open question is how to modify RSAES-OAEP to eliminate the last 
vestige of structure from the plaintext, yet retain a proof of its security against 
chosen ciphertext attack in the random oracle model. Not only would such a 
solution avoid decisions based on plaintext structure - it would ensures no such 
decision could reasonabK be made (even inadvertently) as there is no structure 
upon which to make it.|j 

5.1 Best Practise 

Though the check that to < B is the basis of the attack, it is other details (such 
the time a hash operation takes) that allow the attack to proceed. This rein- 

^ PKCS v2.1 draft 2, section 7.1.2 [RSAES-OAEP] Decryption operation, see the 
note at the bottom of page 18. 

® Such an inadvertent decision (i.e. a software bug) has been noticed by the author 
in one RSAES-OAEP implementation. It never explicitly checked if the plaintext 
“integer [was] too large”, but just assumed it would fit in fc — 1 octets and 
suffered buffer overflow problems when this was not the case. 
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forces Bleichenbacher’s conclusion that the “integrity check must be performed 
in the correct step of the protocol - preferably immediately after decryption” 
Moving any processing that does not have to occur between the decryption 
and integrity check to another location is a practical step towards satisfying 
this criterion, hence lessening the exposure to chosen ciphertext attacks (though 
it does not, by itself, eliminate the threat). Processes that could be performed 
before the decryption operation in RSAES-OAEP include hashing the parame- 
ters, confirming relevant MGF and hash algorithms are supported and allocat- 
ing memory required during mask generation and OAEP-decoding. Rearranging 
these processes should occur in implementations and also in standards defining 
algorithms, as the latter are the specification from which implementations are 
built. 

6 Conclusion 

Optimal Asymmetric Encryption Padding adds an integrity check and masks 
the structure of the message being encrypted to achieve plaintext-awareness and 
consequent protection against chosen ciphertext attack. However, translating the 
octet-aligned OAEP process into integers modulo n in RSAES-OAEP reintro- 
duced sufficient structure to make an adaptive chosen ciphertext attack possible, 
with a high likelihood, in many implementations. 

Acknowledgements. I thank the Director of Research, Telstra Research Lab- 
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highlighting the risks of simply ignoring the structure in RSAES-OAEP. 
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Abstract. The OAEP encryption scheme was introduced by Bellare 
and Rogaway at Eurocrypt ’94. It converts any trapdoor permutation 
scheme into a public-key encryption scheme. OAEP is widely believed to 
provide resistance against adaptive chosen ciphertext attack. The main 
justification for this belief is a supposed proof of security in the random 
oracle model, assuming the underlying trapdoor permutation scheme is 
one way. 

This paper shows conclusively that this justification is invalid. First, it 
observes that there appears to be a non-trivial gap in the OAEP security 
proof. Second, it proves that this gap cannot be filled, in the sense that 
there can be no standard “black box” security reduction for OAEP. This 
is done by proving that there exists an oracle relative to which the general 
OAEP scheme is insecure. 

The paper also presents a new scheme OAEP-t, along with a complete 
proof of security in the random oracle model. OAEP-I- is essentially just 
as efficient as OAEP, and even has a tighter security reduction. 

It should be stressed that these results do not imply that a particular 
instantiation of OAEP, such as RSA-OAEP, is insecure. They simply 
undermine the original justification for its security. In fact, it turns out — 
essentially by accident, rather than by design — that RSA-OAEP is secure 
in the random oracle model; however, this fact relies on special algebraic 
properties of the RSA function, and not on the security of the general 
OAEP scheme. 



1 Introduction 



It is generally agreed that the “right” definition of security for a public key en- 
cryption scheme is security against adaptive chosen ciphertext attack, as defined 
in (HHaH. This notion of security is equivalent to other useful notions, such as 
the notion of non-malleability, as defined in [IDnN91innNflfl| . 

|DDN91j proposed a scheme that is provably secure in this sense, based on 
standard intractability assumptions. While this scheme is useful as a proof of 
concept, it is quite impractical. also propose a scheme that is also provably 

secure; however, it too is also quite impractical, and moreover, it has special 
“public key infrastructure” requirements. 

In 1993, Bellare and Rogaway proposed a method for converting any trapdoor 
permutation scheme into an encryption scheme iHEna. They proved that this 
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scheme is secure against adaptive chosen ciphertext attack in the random oracle 
model, provided the underlying trapdoor permutation scheme is one way. 

In the random oracle model, one analyzes the security of the scheme by 
pretending that a cryptographic hash function is really a random oracle. 

The encryption scheme in mm is very efficient from the point of view of 
computation time. However, it has a “message expansion rate” that is not as 
good as some other encryption schemes. 

In 1994, Bellare and Rogaway proposed another method for converting any 
trapdoor permutation scheme into an encryption scheme fRT}94| . This scheme 
goes by the name OAEP. The scheme when instantiated with the RSA function 
fnTTiT78| goes by the name RSA-OAEP, and is the industry-wide standard for 
RSA encryption (PKCS#I version 2, IEEE PI363). It is just as efficient compu- 
tationally as the scheme in |HP.93| . but it has a better message expansion rate. 
With RSA-OAEP, one can encrypt messages whose bit-length is up to just a 
few hundred bits less than the number of bits in the RSA modulus, yielding a 
ciphertext whose size is the same as that of the RSA modulus. 

Besides its efficiency in terms of both time and message expansion, and its 
compatibility with more traditional implementations of RSA encryption, perhaps 
one of the reasons that OAEP is so popular is the widespread belief that the 
scheme is provably secure in the random oracle model, provided the underlying 
trapdoor permutation scheme is one way. 

In this paper we argue that this belief is unjustified. Specifically, we argue 
that in fact, no complete proof of the general OAEP method has ever appeared 
in the literature. Moreover, we prove that no proof is attainable using standard 
“black box” reductions (even in the random oracle model). Specifically, we show 
that there exists an oracle relative to which the general OAEP scheme is insecure. 
We then present a variation, OAEP-I-, and a complete proof of security in the 
random oracle model. OAEP-I- is essentially just as efficient as OAEP. 

There is one more twist to this story: we observe that RSA-OAEP with 
encryption exponent 3 actually is provably secure in the random oracle model; 
the proof, of course, is not a “black box” reduction, but exploits special algebraic 
properties of the RSA function. These observations were subsequently extended 
in lEOPSUUIEOPSUll to RSA-OAEP with arbitrary encryption exponent. 

Note that although the precise specification of standards (PKCS#1 version 
2, IEEE PI363) differ in a few minor points from the scheme described in |BP94| . 
none of these minor changes affect the arguments we make here. 



1.1 A Missing Proof of Security 

[IBP94| contains a valid proof that OAEP satisfies a certain technical property 
which they call “plaintext awareness.” Let us call this property PAl. However, 
it is claimed without proof that PAl implies security against chosen ciphertext 
attack and non-malleability. Moreover, it is not even clear if the authors mean 
adaptive chosen ciphertext attack (as in [IP.S9H 1 or indifferent (a.k.a. lunchtime) 
chosen ciphertext attack (as in EHIl). 
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Later, in |BDPR,9^ . a new definition of “plaintext awareness” is given. Let 
us call this property PA2. It is claimed in fBDPR.9^ that OAEP is “plaintext 
aware.” It is not clear if the authors mean to say that OAEP is PAl or PA2; in 
any event, they certainly do not prove anything new about OAEP in |BDPR9j^ . 
Furthermore, | |BDPR,9^ contains a valid proof that PA2 implies security against 
adaptive chosen ciphertext attack. 

Notice that nowhere in this chain of reasoning is a proof that OAEP is secure 
against adaptive chosen ciphertext attack. What is missing is a proof that either 
OAEP is PA2, or that PAl implies security against adaptive chosen ciphertext 
attack. 

We should point out, however, that PAl is trivially seen to imply security 
against indifferent chosen ciphertext attack, and thus OAEP is secure against 
indifferent chosen ciphertext attack. However, this is a strictly weaker and much 
less useful notion of security than security against adaptive chosen ciphertext 
attack. 

1.2 Our Contributions 

In ^ we give a rather informal argument that there is a non-trivial obstruction 
to obtaining a complete proof of security for OAEP against adaptive chosen 
ciphertext attack (in the random oracle model). 

In (0 more formal and compelling evidence for this. Specifically, we 

prove that if one-way trapdoor permutation schemes with an additional special 
property exist, then OAEP when instantiated with such a one-way trapdoor per- 
mutation scheme is in fact insecure. We do not know how to prove the existence 
of such special one-way trapdoor permutation schemes (assuming, say, that one- 
way trapdoor permutation schemes exist at all). However, we prove that there 
exists an oracle, relative to which such special one-way trapdoor permutation 
schemes exists. It follows that relative to an oracle, the OAEP construction is 
not secure. 

Actually, our proofs imply something slightly stronger: relative to an oracle, 
OAEP is malleable with respect to a chosen plaintext attack. 

Of course, such relativized results do not necessarily imply anything about the 
ordinary, unrelativized security of OAEP. But they do imply that standard proof 
techniques, in which the adversary and the trapdoor permutation are treated 
as “black boxes,” cannot possibly yield a proof of security, since they would 
relativize. Certainly, all of the arguments in |fiH,94| and jfi l )PH,9R) involve only 
“black box” reductions, and so they cannot possibly be modified to yield a proof 
of security. 

In (0 we present a new scheme, called OAEP-I-. This is a variation of OAEP 
that is essentially just as efficient in all respects as OAEP, but for which we 
provide a complete, detailed proof of security against adaptive chosen ciphertext 
attack. Moreover, the security reduction for OAEP-I- is somewhat tighter than 
for OAEP. 

We conclude the paper in ^ on a rather ironic note. After considering other 
variations of OAEP, we sketch a proof that RSA-OAEP with encryption expo- 
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nent 3 actually is secure in the random oracle model. This fact, however, makes 
essential use of Coppersmith’s algorithm |Cop96| for solving low-degree mod- 
ular equations. This proof of security does not generalize to large encryption 
exponents, and in particular, it does not cover the popular encryption exponent 
2^6 -k 1. 

Part of the irony of this observation is that Coppersmith viewed his own 
result as a reason not to use exponent 3, while here, it ostensibly gives one 
reason why one perhaps should use exponent 3. 

It is also worth noting here that by using Coppersmith’s algorithm, one 
gets a fairly tight security reduction for exponent-3 RSA-OAEP, and an even 
tighter reduction for exponent-3 RSA-OAEP -I-. These reductions are much more 
efficient than either the (incorrect) reduction for OAEP in mM , or our general 
reduction for OAEP-I-. Indeed, these general reductions are so inefficient that 
they fail to provide any truly meaningful security guarantees for, say, 1024-bit 
RSA, whereas with the use of Coppersmith’s algorithm, the security guarantees 
are much more meaningful. 

Subsequent to the distribution of the original version of this paper fbhoOO). it 
was shown in fFOPSOOj that RSA-OAEP with an arbitrary encryption exponent 
is indeed secure against adaptive chosen ciphertext attack in the random oracle 
model. We remark, however, that the reduction in [FOPSOOj is significantly 
less efficient than our general reduction for OAEP-k, and so it provides a less 
meaningful security guarantee for typical choices of security parameters. This 
may be a reason to consider using RSA-OAEP-I- instead of RSA-OAEP. 

We also mention the subsequent work of |Ijon01| , which considers OAEP-like 
variations of RSA as well as Rabin encryption. 

Let us be clear about the implications of our results. They do not imply an 
attack on RSA-OAEP. They only imply that the original justification for the 
belief that OAEP in general — and hence RSA-OAEP in particular — is resistant 
against adaptive chosen ciphertext attack was invalid. As it turns out, our obser- 
vations on exponent-3 RSA-OAEP, and the more general results of on 

arbitrary-exponent RSA-OAEP, imply that RSA-OAEP is indeed secure against 
adaptive chosen ciphertext attack in the random oracle model. However, the se- 
curity of RSA-OAEP does not follow from the security of OAEP in general, but 
rather, relies on specific algebraic properties of the RSA function. 

Before moving ahead, we recall some definitions in ^ and the OAEP scheme 
itself in 



2 Preliminaries 

2.1 Security against Chosen Ciphertext Attack 

We recall the definition of security against adaptive chosen ciphertext attack. 
We begin by describing the attack scenario. 
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Stage 1. The key generation algorithm is run, generating the public key and 
private key for the cryptosystem. The adversary, of course, obtains the public 
key, but not the private key. 

Stage 2. The adversary makes a series of arbitrary queries to a decryption ora- 
cle. Each query is a ciphertext y that is decrypted by the decryption oracle, 
making use of the private key of the cryptosystem. The resulting decryption 
is given to the adversary. The adversary is free to construct the ciphertexts 
in an arbitrary way — it is certainly not required to compute them using the 
encryption algorithm. 

Stage 3. The adversary prepares two messages xo,x\, and gives these to an 
encryption oracle. The encryption oracle chooses b G {0, 1} at random, en- 
crypts Xb, and gives the resulting “target” ciphertext y* to the adversary. 
The adversary is free to choose xq and x\ in an arbitrary way, except that if 
message lengths are not fixed by the cryptosystem, then these two messages 
must nevertheless be of the same length. 

Stage 4. The adversary continues to submit ciphertexts y to the decryption 
oracle, subject only to the restriction that y ^ y* . 

Stage 5. The adversary outputs b G {0, 1}, representing its “guess” of b. 

That completes the description of the attack scenario. 

The adversary’s advantage in this attack scenario is defined to be | Pr[6 = 
6]-l/2|. 

A cryptosystem is defined to be secure against adaptive chosen ciphertext 
attack if for any efficient adversary, its advantage is negligible. 

Of course, this is a complexity-theoretic definition, and the above description 
suppresses many details, e.g., there is an implicit security parameter which tends 
to infinity, and the terms “efficient” and “negligible” are technical terms, defined 
in the usual way. Also, we shall work in a uniform model of computation (i.e., 
Turing machines). 

The definition of security we have presented here is from |RS91| . It is called 
IND-CCA2 in IhiOPkhsl . It is known to be equivalent to other notions, such 
as non-malleability IUUiN9IlfjUPK9ijlUmNUfJI . which is called NM-CCA2 in 

llkiUPP.yHI . 

It is fairly well understood and accepted that this notion of security is the 
“right” one, in the sense that a general-purpose cryptosystem that is to be 
deployed in a wide range of applications should satisfy this property. Indeed, 
with this property, one can typically establish the security of larger systems that 
use such a cryptosystem as a component. 

There are other, weaker notions of security against chosen ciphertext attack. 
For example, define a notion that is sometimes called security against 

indifferent chosen ciphertext attack, or security against lunchtime attack. This 
definition of security is exactly the same as the one above, except that Stage 4 
is omitted — that is, the adversary does not have access to the decryption oracle 
after it obtains the target ciphertext. While this notion of security may seem 
natural, it is actually not sufficient in many applications. This notion is called 
IND-CCAl in EnEESEl- 
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2.2 One-Way Trapdoor Permutations 

We recall the notion of a trapdoor permutation scheme. This consists of a prob- 
abilistic permutation generator algorithm that outputs (descriptions of) two al- 
gorithms / and g, such that the function computed by / is a permutation on 
the set of fc-bit strings, and the function computed by g is its inverse. 

An attack on a trapdoor permutation scheme proceeds as follows. First the 
generator is run, yielding / and g. The adversary is given /, but not g. Addition- 
ally, the adversary is given a random y G {0,1}^ . The adversary then computes 
and outputs a string w G {0, 1}^. 

The adversary’s success probability is defined to Pr[/(w) = y]. 

The scheme is called a one-way trapdoor permutation scheme if for any effi- 
cient adversary, its success probability is negligible. As above, this is a complexity 
theoretic definition, and we have suppressed a number of details, including a se- 
curity parameter, which is input to the permutation generator; the parameter 
fc, as well as the running times of / and g, should be bounded by a polynomial 
in this security parameter. 



2.3 The Random Oracle Model 

The random oracle model was introduced in [HR 93] as a means of heuristically 
analyzing a cryptographic primitive or protocol. In this approach, one equips 
all of the algorithms associated with the primitive or protocol (including the 
adversary’s algorithms) with oracle access to one or more functions. Each of 
these functions is a map from {0, 1}“ to {0, 1}^, for some specified values a and 
b. One then reformulates the definition of security so that in the attack game, 
each of these functions is chosen at random from the set of all functions mapping 

{o,ir to {o,l}^ 

In an actual implementation, one typically instantiates these random oracles 
as cryptographic hash functions. 

Now, a proof of security in the random oracle model does not necessarily 
imply anything about security in the “real world” where actual computation 
takes place (see |(Xm98| l. Nevertheless, it seems that designing a scheme so 
that it is provably secure in the random oracle model is a good engineering 
principle, at least when all known schemes that are provably secure without the 
random oracle heuristic are too impractical. Subsequent to EEna, many other 
papers have proposed and analyzed cryptographic schemes in the random oracle 
model. 



3 OAEP 

We now describe the OAEP encryption scheme, as described in §6 of [HIi.94| . 

The general scheme makes use of a one-way trapdoor permutation. Let / 
be the permutation, acting on fc-bit strings, and g its inverse. The scheme also 
makes use of two parameters fco and fci, which should satisfy fcg + < k. It 
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should also be the case that and are negligible quantities. The scheme 
encrypts messages x G {0, 1}", where n = k — ko — k^. 

The scheme also makes use of two functions, G : {0, 1}*^“ — >■ {0, and 

H : {0, — >■ {0,1}^“. These two functions will be modeled as random 

oracles in the security analysis. 

We describe the key generation, encryption, and decryption algorithms of the 
scheme. 

Key generation. This simply runs the generator for the one-way trapdoor per- 
mutation scheme, obtaining / and g. The public key is /, and the private 
key is g. 

Encryption. Given a plaintext x, the encryption algorithm randomly chooses 
r G {0, 1}^”, and then computes 

s G {0, 1}"+'=!, t G {0, 1}'=“, w G {0, l}^ y G {0, 1}'= 

as follows: 



s = G(r)©(x 110'=^), 


(1) 


t = H{s) © r, 


(2) 


w = s\\t, 


(3) 


II 


(4) 



The ciphertext is y. 

Decryption. Given a ciphertext y, the decryption algorithm computes 

w G {0, l}^ s G {0, t G {0, 1}'=“, r G {0, !}'=«, 
z G {0, 1}’"+'=!, X G {0, 1}", c G {0, 1}'=! 

as follows: 



g{y), 


(5) 


w[0 . . .n + ki — 1], 


(6) 


w[n + ki . . . k], 


(7) 


H{s)®t, 


(8) 


G(r) © s. 


(9) 


z[0 . . . n — 1], 


(10) 


z[n . . . n + fci — 1]. 


(11) 



If c = then the algorithm outputs the cleartext x; otherwise, the algo- 
rithm rejects the ciphertext, and does not output a cleartext. 



4 An Informal Argument that OAEP Cannot Be Proven 
Secure 

In this section, we discuss the gap in the proof in jHR hdj . The reader may safely 
choose to skip this section upon first reading. 
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We first recall the main ideas of the proof in that OAEP is “plaintext 

aware” in the random oracle model, where G and H are modeled as random 
oracles. 

The argument shows how a simulator that has access to a table of in- 
put/output values for the points at which G and H were queried can simulate 
the decryption oracle without knowing the private key. As we shall see, one must 
distinguish between random oracle queries made by the adversary and random 
oracle queries made by the encryption oracle. This is a subtle point, but the 
failure to make this distinction is really at the heart of the flawed reasoning in 

mmM . 

To make our arguments clearer, we introduce some notational conven- 
tions. First, any ciphertext y implicitly defines values w, s,t^r^ z,x,c via the 
decryption equations 0-(IIIl)- Let y* denote the target ciphertext, and let 
w* , s* ,t* ,r* , z* ,x* , c* be the corresponding implicitly defined values for y*. Note 
that X* = Xb and c* = 0^^ . 

Let Sg the set of values r at which G was queried by the adversary. Also, 
let Sh be the set of values s at which H was queried by the adversary. Further, 
let Sq = U {r*} and S’^ = Sh U { s *}, where r*, s* are the values implicitly 
defined by y* , as described above. We view these sets as growing incrementally 
as the adversary’s attack proceeds — elements are added to these only when a 
random oracle is queried by the adversary or by the encryption oracle. 

Suppose the simulator is given a ciphertext y to decrypt. One can show that 
if r ^ Sq, then with overwhelming probability the actual decryption algorithm 
would reject y; this is because in this case, s and G{r) are independent, and so the 
probability that c = 0^“^ is Moreover, if s ^ S’^, then with overwhelming 

probability, r ^ Sq] this is because in this case, t and H{s) are independent, and 
so r is independent of the adversary’s view. From this argument, it follows that 
the actual decryption algorithm would reject with overwhelming probability, 
unless r G Sq and s G S’^. 

If the decryption oracle simulator (a.k.a., plaintext extractor) has access to 
Sq and S'^, as well as the corresponding outputs of G and H, then it can 
effectively simulate the decryption without knowing the secret key, as follows. It 
simply enumerates all r' G Sq and s' G S’^, and for each of these computes 

t' = H{s')(Br', w' = s'\\t', y' = f{w'). 



If y' is equal to y, then it computes the corresponding x' and c' values, via the 
equations 119 and (EJ; if c' = it outputs x', and otherwise rejects. If no y' 
equals y, then it simply outputs reject. 

Given the above arguments, it is easy to see that this simulated decryption 
oracle behaves exactly like the actual decryption oracle, except with negligible 
probability. Certainly, if some y' = y, the simulator’s response is correct, and if 
no y' = y, then the above arguments imply that the real decryption oracle would 
have rejected y with overwhelming probability. 

From this, one would like to conclude that the decryption oracle does not 
help the adversary. But this reasoning is invalid. Indeed, the adversary in the 



OAEP Reconsidered 



247 



actual attack has access to So and Sh, along with the corresponding outputs 
of G and H, but does not have direct access to r* ,G{r*), s* , H{s*). Thus, the 
above decryption simulator has more power than does the adversary. Moreover, 
if we give the decryption simulator access to r*, G(r*), s * then the proof 
that X* is well hidden, unless the adversary can invert /, is doomed to failure: if 
the simulator needs to “know” r* and s*, then it must already “know” w*, and 
so one can not hope use the adversary to compute something that the simulator 
did not already know. 

On closer observation, it is clear that the decryption simulator does not need 
to know s* ,G{s*): if s = s*, then it must be the case that t , which implies 
that r r*, and so c = 0^'^ with negligible probability. Thus, it is safe to reject 
all ciphertexts y such that s = s*. 

If one could make an analogous argument that the decryption simulator does 
not need to know r*,G(r*), we would be done. This is unfortunately not the 
case, as the following example illustrates. 

The arguments in |B^ simply do not take into account the random oracle 
queries made by the decryption oracle. All these arguments really show is that 
OAEP is secure against indifferent chosen ciphertext attack. 



4.1 An Example 

Suppose that we have an algorithm that actually can invert /. Now of course, 
in this case, we will not be able to construct a counter-example to the security 
of OAEP, but we will argue that the proof technique fails. In particular, we 
show how to build an adversary that uses the /-inverting algorithm to break the 
cryptosystem, but it does so in such a way that no simulator given black box 
access to the adversary and its random oracle queries can use our adversary to 
compute for a given value of y* . 

We now describe adversary. Upon obtaining the target ciphertext y* , the 
adversary computes w* using the algorithm for inverting /, and then extracts 
the corresponding values s* and t* . The adversary then chooses an arbitrary, 
non-zero A G {0,1}", and computes: 

s = s* © (Z\ II 0*^^), t = t*® H{s*) © H{s), re = s II t, y = f{w). 

It is easily verified that j/ is a valid encryption of a: = x* ©Z\, and clearly y ^ y* . 
So if the adversary submits y to the decryption oracle, he obtains x, from which 
he can then easily compute x* . 

This adversary clearly breaks the cryptosystem — in fact, its advantage is 
1/2. However, note in this attack, the adversary only queries the oracle H at 
the points s and s* . It never queries the oracle G at all. In fact r = r*, and the 
attack succeeds just where the gap in the proof was identified above. 

What information has a simulator learned by interacting with the adversary 
as a black box? It has only learned s* and s (and hence A). So it has learned 
the first n + ki bits of the pre-image of y*, but the last ko remain a complete 
mystery to the simulator, and in general, they will not be easily computable 
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from the first n + k\ bits. The simulator also has seen the value y submitted to 
the decryption oracle, but it does not seem likely that this can be used by the 
simulator to any useful effect. 

5 Formal Evidence that the OAEP Construction Is Not 
Sound 

In this section, we present strong evidence that the OAEP construction is not 
sound. First, we show that if a special type of one-way trapdoor permutation /q 
exists, then in fact, we can construct another one-way trapdoor permutation / 
such that OAEP using / is insecure. Although we do not know how to explicitly 
construct such a special /o, we can show that there is an oracle relative to which 
one exists. Thus, there is an oracle relative to which OAEP is insecure. This in 
turn implies that there is no standard “black box” security reduction for OAEP. 

Definition 1. We call a permutation generator XOR-malleable if the follow- 
ing property holds. There exists an efficient algorithm U , such that for infinitely 
many values of the security parameter, U{fo, fo{t),6) = fo{t © 5) with non- 
negligible probability. Here, the probability is taken over the random bits of the 
permutation generator, and random bit strings t and 6 in the domain {0, of 
the generated permutation /q. 

Theorem 1. If there exists an XOR-malleable one-way trapdoor permutation 
scheme, then there exists a one-way trapdoor permutation scheme such that when 
OAEP is instantiated with this scheme, the resulting encryption scheme is inse- 
cure (in the random oracle model). 

We now prove this theorem, which is based on the example presented in sm 
Let /o be the given XOR-malleable one-way trapdoor permutation on fep- 
bit strings. Let U be the algorithm that computes /o(t© S) from {fo, fo{t),5). 
Choose n > 0, fci > 0, and set k = n + Zco + ^i- Let / be the permutation on fc-bit 
strings defined as follows: for s G {0, G {0, 1}^“, let /(s || f) = s || /o(t). 

It is clear that / is a one-way trapdoor permutation. 

Now consider the OAEP scheme that uses this / as its one-way trapdoor 
permutation, and uses the parameters k,n,ko,ki for the padding scheme. 

Recall our notational conventions: any ciphertext y implicitly de- 

fines values w, s,t,r, z,x,c, and the target ciphertext y* implicitly defines 
w*,s*,t*,r*,z*,x*,c*. 

We now describe the adversary. Upon obtaining the target ciphertext y* , the 
adversary decomposes y* as y* = s* || fo{t*). The adversary then chooses an 
arbitrary, non-zero A G {0,1}", and computes: 

s = s*®(A||0'=i), v = U{foJo{n,H{s*)®H{s)), y = s || u. 

It is easily verified that y is a valid encryption of a; = x* ® A, provided v = 
fo{t* © H{s*) © H{s)), which by our assumption of XOR-malleability occurs 
with non-negligible probability. Indeed, we have 
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t = t* ®H{s*)®H{s), 
r = H{s)®t = H{s*)®t*=r*, 

0 = G(r)©s = G(r*)©s*©(Z\||O''i) = (a;* © Z\) || 

So if the adversary submits y to the decryption oracle, he obtains x, from which 
he can then easily compute x*. 

This adversary clearly breaks the cryptosystem. That completes the proof of 
the theorem. 

Note that in the above attack, r = r* and the adversary never explicitly 
queried G at r, but was able to “hijack” G(r) from the encryption oracle — this 
is the essence of the problem with OAEP. 

Note that this also attack shows that the scheme is malleable with respect 
to chosen plaintext attack. 

Of course, one might ask if it is at all reasonable to believe that XOR- 
malleable one-way trapdoor permutations exist at all. First of all, note that the 
standard RSA function is a one-way trapdoor permutation that is not XOR- 
malleable, but is still malleable in a very similar way: given a = (a® mod N) 
and (6 mod fV), we can compute ((a5)® mod N) as (a • (&® mod N)). Thus, we 
can view the RSA function itself as a kind of malleable one-way trapdoor permu- 
tation, but where XOR is replaced by multiplication mod N . In fact, one could 
modify the OAEP scheme so that t,H{s) and r are numbers mod N, and instead 
of the relation t = iJ(s) © r, we would use the relation t = H{s) ■ r mod N. It 
would seem that if there were a proof of security for OAEP, then it should go 
through for this variant of OAEP as well. But yet, this variant of OAEP is clearly 
insecure, even though the underlying trapdoor permutation is presumably one 
way. 

Another example is exponentiation in a finite abelian group. For a group ele- 
ment g, the function mapping a to g°' is malleable with respect to both addition 
and multiplication modulo the order of g. Although for appropriate choices of 
groups this function is a reasonable candidate for a one-way permutation, it does 
not have a trapdoor. 

Beyond this, we prove a relativized result. 

Theorem 2. There exists an oracle, relative to which XOR-malleahle one-way 
trapdoor permutations exist. 

This theorem provides some evidence that the notion of an XOR-malleable 
one-way trapdoor permutation scheme is not a priori vacuous. 

Also, Theorems n and 0 imply the following. 

Corollary 1. There exists an oracle, relative to which the OAEP construction 
is insecure. 

We should stress the implications of this corollary. 
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Normally, to prove the security of a cryptographic system, one proves this via 
a “black box” security reduction from solving the underlying “hard” problem to 
breaking the cryptographic system. Briefly, such a reduction for a cryptosystem 
based on a general trapdoor permutation scheme would be an efflcient, proba- 
bilistic algorithm that inverts a permutation / on a random point, given oracle 
access to an adversary that successfully breaks cryptosystem (instantiated with 
/) and the permutation /. It should work for all adversaries and all permuta- 
tions, even ones that are not efficiently computable, or even computable at all. 
Whatever the adversary’s advantage is in breaking the cryptosystem, the success 
probability of the inversion algorithm should not be too much smaller. 

We do not attempt to make a more formal or precise definition of a black-box 
security reduction, but it should be clear that any such reduction would imply 
security relative to any oracle. So Corollary [D implies that there is no black-box 
security reduction for OAEP. 

For lack of space, we do not present the proof of Theorem |2| in this extended 
abstract. The reader is referred to the full-length version of this paper IHCT7I . 

6 OAEP+ 

We now describe the OAEP-I- encryption scheme, which is just a slight modifi- 
cation of the OAEP scheme. 

The general scheme makes use of a one-way trapdoor permutation. Let / 
be the permutation, acting on fc-bit strings, and g its inverse. The scheme also 
makes use of two parameters fcg and fci, which should satisfy + k\ < k. It 
should also be the case that and 2“^“^ are negligible quantities. The scheme 
encrypts messages x G {0, 1}", where n = k — k^ — k\. 

The scheme also makes use of three functions: 

G : {0, 1}'=“ ^ {0, ir, H' : {0, 1}”+'=“ ^ {0, H : {0, 1}”+'=^ ^ {0, 1}'=“. 

These three functions will be modeled as independent random oracles in the 
security analysis. 

We describe the key generation, encryption, and decryption algorithms of the 
scheme. 

Key generation. This simply runs the generator for the one-way trapdoor per- 
mutation scheme, obtaining / and g. The public key is /, and the private 
key is g. 

Encryption. Given a plaintext x, the encryption algorithm randomly chooses 
r G {0, 1}^“, and then computes 

s G {0, 1}"+'=!, t G {0, 1}'=“, w G {0, l}^ y G {0, 



as follows: 
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s = (G(r) © x) II H'(r || a:), 
t = H{s) © r, 
w = s II t, 
y = f(w). 



( 12 ) 

(13) 

(14) 

(15) 



The ciphertext is y. 

Decryption. Given a ciphertext y, the decryption algorithm computes 



If c = H'{r II x), then the algorithm outputs the cleartext x; otherwise, the 

algorithm rejects the ciphertext, and does not output a cleartext. 

Theorem 3. If the underlying trapdoor permutation scheme is one way, then 
OAEP+ is secure against adaptive chosen ciphertext attack in the random oracle 
model. 

We start with some notations and conventions. 

Let A be an adversary, and let Gq be the original attack game. Let b and b 
be as defined in and let Sq be the event that b — b. 

Let go, qn, and qh' bound the number of queries made by A to the oracles 
G, H, and H' respectively, and let go bound the number of decryption oracle 
queries. 

We assume without loss of generality that whenever A makes a query of the 
form H'{r || x), for any r G {0, 1}^“, x G {0, 1}”, then A has previously made the 
query G(r). 

We shall show that 



|Pr[5o] - 1/2| < InvAdv{A') + (g^, + qD)/2>^^ + {go + 1)9g/2'=“, (22) 



where InvAdv(A') is the success probability that a particular adversary A' has 
in breaking the one-way trapdoor permutation scheme on k-hit inputs. The time 
and space requirements of Al are related to those of A as follows: 



Time{A') = 0( Time(A) + qcynTf + (go + <7 h' + + to)fc); (23) 




as follows: 



w = g{y), 

s = w[0 . . . n + — 1], 

t = w[n + k\ . . . k], 
r = H{s) ®t, 

X = G(r) © s[0 . . . n — 1], 
c = s[n . . .n + ki — 1]. 



(16) 

(17) 

(18) 

(19) 

(20) 
(21) 



Space{A') = 0{Space{A) + {qc + gn' + qH)k). 



(24) 



Here, Tf is the time required to compute /, and space is measured in bits of 
storage. These complexity estimates assume a standard random-access model of 
computation. 
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Any ciphertext y implicitly defines values w, s,t,r,x,c via the decryp- 
tion equations (fl Let y* denote the target ciphertext, and let 

w*,s*,t*,r*,x*,c* be the corresponding implicitly defined values for y*. Note 
that X* = Xb and c* = H'{r* || x*). 

We define sets Sq and Sh, as in as follows. Let Sq be the set of values 
r at which G was queried by A. Also, let Sh be the set of values s at which H 
was queried by A. Additionally, define Sh' to be the set of pairs (r, x) such that 
H' was queried at r\\x by A. We view these sets as growing incrementally as 
A’s attack proceeds — elements are added to these only when a random oracle is 
queried by A. 

We also define A’s view as the sequence of random variables 

View = ( Ao, Xi , . . . , ), 

where Xq consists of A’s coin tosses and the public key of the encryption scheme, 
and where each Xi for i > 1 consists of a response to either a random oracle 
query, a decryption oracle query, or the encryption oracle query. The ith such 
query is a function of {Xq, . . . , Ai_i ). The adversary’s final output 6 is a function 
of View. At any fixed point in time, A has made some number, say m, queries, 
and we define 

CurrentView = ( AIq, . . . , Xm). 

Our overall strategy for the proof is as follows. We shall define a sequence 
Gi, G 2 , . . . , G 5 of modified attack games. Each of the games Go, Gi, . . . , G 5 
operate on the same underlying probability space. In particular, the public key 
and private key of the cryptosystem, the coin tosses of A, the values of the 
random oracles and the hidden bit b take on identical values across 

all games. Only some of the rules defining how the view is computed differ from 
game to game. For any 1 < i < 5, we let Si be the event that b — b in game G^. 
Our strategy is to show that for 1 < i < 5, the quantity | Pr[S'i_i] — Pr[5'i]| is 
negligible. Also, it will be evident from the definition of game G 5 that Pr[5's] = 
1 / 2 , which will imply that |Pr[S'o] — 1 / 2 | is negligible. 

In games Gi, G 2 , and G 3 , we incrementally modify the decryption oracle, 
so that in game G 3 , the modified decryption oracle operates without using the 
trapdoor for / at all. In games G 4 and G 5 , we modify the encryption oracle, so 
that in game G 5 , the hidden bit b is completely independent of View. 

To make a rigorous and precise proof, we state following very simple, but 
useful lemma, which we leave to the reader to verify. 

Lemma 1. Let E, E' , and F he events defined on a probability space such that 
Pr[£’ A -lE] = Pr[if' A -'E] . Then we have |Pr[if] — Pr[A']| < Pr[F]. 

Game Gi. Now we modify game Gq to define a new game Gi. 

We modify the decryption oracle as follows. Given a ciphertext y, the new 
decryption oracle computes w, s,t,r,x,c as usual. If the old decryption oracle 
rejects, so does the new one. But the new decryption oracle also rejects if (r, x) ^ 
Sh' . More precisely, if the new decryption oracle computes r via equation P|l. 
and finds that r ^ Sq, then it rejects right away, without ever querying G{r); 
if r G Sc, then x is computed, but if (r,x) ^ Sh', it rejects without querying 
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H'{r II x). Recall that by convention, if A queried H'{r || a;), it already queried 
G{r). One sees that in game Gi, the decryption oracle never queries G or at 
points other than those at which A did. 

Let Fi be the event that a ciphertext is rejected in Gi that would not have 
been rejected under the rules of game Gg. 

Consider a ciphertext y ^ y* submitted to the decryption oracle. If r = r* 
and X = X* , then we must have c yf c*; in this case, however, we will surely 
reject under the rules of game Gg. So we assume that r ^ r* ov x ^ x* . Now, 
the encryption oracle has made the query H'{r* || x*), but not H'{r\\x), since 
(r, x) {r* ,x*). So if A has not made the query H'(r || x), the value of H'(r || x) is 
independent of Current View, and hence, is independent of c, which is a function 
of CurrentView and H. Therefore, the probability that c = iL'(r || x) is 1/2^L 

From the above, it follows that Pr[Fi] < qu/2^^. Moreover, it is clear by 
construction that Prl^g A -iFi] = Prl^i A -'F'l], since the two games proceed 
identically unless the event Fi occurs; that is, the value of View is the same in 
both games, provided F\ does not occur. So applying Lemma H] with {Sq, S\, Fi), 
we have 

|Pr[5g]-Pr[^i]| < (25) 

Game G 2 . Now we modify game Gi to obtain a new game G 2 . In this new 
game, we modify the decryption oracle yet again. Given a ciphertext y, the new 
decryption oracle computes w, s,t,r,x,c as usual. If the old decryption oracle 
rejects, so does the new one. But the new decryption oracle also rejects if s ^ Sh- 
More precisely, if the new decryption oracle computes s via equation O, and 
finds that s ^ Sh, then it rejects right away, without ever querying H{s). Thus, 
in game G 2 , the decryption oracle never queries G, FI', or iJ at points other 
than those at which A did. 

Let F 2 be the event that a ciphertext is rejected in G 2 that would not have 
been rejected under the rules of game Gi. 

Consider a ciphertext y ^ y* with s (fi Sh submitted to the decryption oracle. 
We consider two cases. 

Case 1: s = s* . Now, s = s* and y ^ y* implies t ^ t* . Moreover, s = s* and 
t ^ t* implies that r y^ r*. If this ciphertext is rejected in game G 2 but would not 
be under the rules in game Gi, it must be the case that H'{r* || x*) = F['{r\\x). 
The probability that such a collision can be found over the course of the attack is 
qh' ■ Note that r* is fixed by the encryption oracle, and so “birthday attacks” 
are not possible. 

Case 2: s yf s*. In this case, the oracle FI was never queried at s by either 
A, the encryption oracle, or the decryption oracle. Since t = H(s) (Br, the value 
r is independent of CurrentView . It follows that the probability that r & Sq is 
at most qc /2^° . Over the course of the entire attack, these probabilities sum to 

It follows that Pr[F 2 ] < qn' ^q^qc ■ Moreover, it is clear by construc- 
tion that PrlS”! A - 1 ^ 2 ] = Pr[5'2 A “'F 2 ], since the two games proceed identically 
unless F 2 occurs. So applying Lemma d with [S\,S 2 ,F 2 ), we have 
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|Pr[^i] - Pr[5'2]| < + qDqal^’^^- (26) 

Game G3. Now we modify game G2 to obtain an equivalent game G3. We 
modify the decryption oracle so that it does not make use of the trapdoor for / 
at all. 

Conceptually, this new decryption oracle iterates through all pairs {r',x') G 
Sh'- For each of these, it does the following. First, it sets s' = (G(r') © 
x') II H'{r' II x'). Note that both G and H' have already been queried at the 
given points. Second, if s' G Sh, it then computes 

= w' = s'\\t', y' = f{w'). 

If y' is equal to y, it stops and outputs x' . 

If the above iteration terminates without having found some y' = y, then the 
new decryption oracle simply rejects. 

It is clear that games G3 and G2 are identical, and so 

Pr[^3]=Pr[^2]. (27) 

To actually implement this idea, one would build up a table, with one entry 
for each (r' ,x') G Sh'- Each entry in the table would contain the corresponding 
value s', along with y' if s' is currently in Sr - If s' is currently not in Sr, we place 
y' in the table entry if and when A eventually queries H(s'). When a ciphertext 
y is submitted to the decryption oracle, we simply perform a table lookup to see 
if there is a y' in the table that is equal to y. These tables can all be implemented 
using standard data structures and algorithms. Using search tries to implement 
the table lookup, the total running time of the simulated decryption oracle over 
the course of game G3 is 

0{mm{qH',qH)Tf + {qa + qn' + qn + qD)k). 

Note also that the space needed is essentially linear: 0{{qa + qn' + qH)k) bits. 

Remark. Let us summarize the modifications made so far. We have modified 
the decryption oracle so that it does not make use of the trapdoor for / at all; 
moreover, the decryption oracle never queries G, H' , or H at points other than 
those at which A did. 

Game G4. In this game, we modify the random oracles and slightly modify the 
encryption oracle. The resulting game G4 is equivalent to game G3; however, 
this rather technical “bridging” step will facilitate the analysis of more drastic 
modifications of the encryption oracle in games G5 and Gg below. 

We introduce random bit strings G {0, 1}^” and g~^ G {0, 1}". We also 
introduce a new random oracle 

/i+:{0,l}"^{0 ,l}''L 

Game G4 is the same as game G3, except that we apply the following special 
rules. 
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Rl: In the encryption oracle, we compute 

y* = /(s*||(R(s*)©r*)), 

where 

r* = r~^ and s* = {g~^ © Xb) || h~^{xb). 

R2: Whenever the random oracle G is queried at r+, we respond with the value 
instead of G(r+). 

R3: Whenever the random oracle H' is queried at a point r+ || x for some x G 
{0, 1}", we respond with the value h~^{x), instead of || x). 

That completes the description of game G4. It is a simple matter to verify 
that the the random variable ( View^ b) has the same distribution in both games 
G3 and G4, since we have simply replaced one set of random variables by a 
different, but identically distributed, set of random variables. In particular, 

Pr[54] =Pr[^3]- (28) 

Game G5. This game is identical to game G4, except that we drop rules R2 
and R3, while retaining rule Rl. 

In game G5, it will not in general hold that x* = Xb or that H{r* || x*) = c*. 
Moreover, since the value g~^ is not used anywhere else in game G5 other than 
to “mask” Xb in the encryption oracle, we have 

Pr[,55] = 1/2. (29) 

Despite the above differences, games G4 and G5 proceed identically unless 
A queries G at r* or H' at r* || cc for some x G {0,1}". Recall that by our 
convention, whenever A queries H' at r* || x for some x G (0, 1}", then G has 
already been queried at r*. Let F5 be the event that in game G5, A queries G 
at r*. We have Pr[5'4 A -1^5] = Pr[5'5 A ~'Fb], and so by Lemma H applied to 
{S4, S5, F5), 

|Pr[54 ]-Pr[, 55 ]| <Pr[Fs]. (30) 

Game Gg. We introduce an auxiliary game Gg in order to bound Pr[Fg]. In 
game Gg, we modify the encryption oracle once again. Let j/+ G (0, 1}^ be a 
random bit string. Then in the encryption oracle, we simply set y* = , ignoring 

the encryption algorithm altogether. 

It is not too hard to see that the random variable ( View,r*) has the same 
distribution in both games G5 and Gg. Indeed, the distribution of ( Viewer*) 
in game G5 clearly remains the same if we instead choose r* and s* at random, 
and compute y* = f{s* || © r*)). Simply choosing y* at random clearly 

induces the same distribution on ( View, r* ). In particular, if we define to be 
the event that in game Gg A queries G at r*, then 

Pr[Fg]=Pr[T^/]. (31) 

So our goal now is to bound Pr[T’/]. To this end, let Fg' be the event that A 
queries FI at s* in game Gg. Then we have 

Pr[F/] = Pr[F/ A F"] + Pr[F/ A -F"]. 



(32) 
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First, we claim that 



Pr[Fg A F^] < InvAdv{A'), (33) 

where InvAdv(A') is the success probability of an inverting algorithm A' whose 
time and space requirements are bounded as in (t^3l and (EH) . To see this, observe 
that if A queries G at r* and at s* , then we can easily convert the attack into 
an algorithm A' that computes on input . A! simply runs A against 

game G5. When A terminates, Al enumerates all r' G Sq and s' G Sh, and for 
each of these computes 

t' = i7(s')©r', w' = s' \\t', y' = f{w'). 

If y' is equal to y~^ , then A' outputs w' and terminates. 

Although game Gg is defined with respect to random oracles, there are no 
random oracles in A' . To implement A' , one simulates the random oracles that 
appear in game G5 in the “natural” way. That is, whenever A queries a random 
oracle at a new point. A' generates an output for the oracle at random and puts 
this into a lookup table keyed by the input to the oracle. If A has previously 
queried the oracle at a point. A' takes the output value from the lookup table. 
Again, using standard algorithms and data structures, such as search tries, the 
running time and space complexity of A' are easily seen to be bounded as claimed 
in 112511 and m- 

Unfortunately, the running time of A' is much worse than that of the sim- 
ulated decryption oracle described in game G3. But at least the space remains 
essentially linear in the total number of oracle queries. 

We also claim that 

Pr[F'A-F"] <90/2'=“. (34) 

To see this, consider a query of G at r, prior to which H has not been queried 
at s*. Since t* = H{s*) © r*, the value r* is independent of CurrentView, and 
so Pr[r = r*] = 1/2^“. The bound (13411 now follows. 

Equations (E3-(EU together imply 

Pr[F/] < InvAdv{A') + qc/2^F (35) 

Equations (12511 . (12611 . (r2Yll . (ESI, (EHl, (1.31)11 . H3 1 II . and (f,3,5ll together imply 

That completes the proof of Theorem El 

Remark. Our reduction from inverting / to breaking OAEP+ is tighter than 
the corresponding reduction for OAEP in |HHf)4] . In particular, the OAEP+ 
construction facilitates a much more efficient “plaintext extractor” than the 
OAEP construction. The latter apparently requires either 

— time proportional to qoqGQH and space linear in the number of oracle 
queries, or 

— time proportional to qo + qcqH and space proportional to qcqn (if one builds 
a look-up table). 
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For OAEP+, the total time and space complexity of the plaintext extractor in 
game G 3 is linear in the number of oracle queries. Unfortunately, our inversion 
algorithm for OAEP+ in game G 5 still requires time proportional to qgQh, 
although its space complexity is linear in the number of oracle queries. We should 
remark that as things now stand, the reductions for OAEP+ are not tight enough 
to actually imply that an algorithm that breaks, say, 1024-bit RSA-OAEP-I- in a 
“reasonable” amount of time implies an algorithm that solves the RSA problem 
in time faster than the best known factoring algorithms. However, as we shall see 
in for exponent-3 RSA-OAEP-I- , one can in fact get a very tight reduction. 
An interesting open problem is to get a tighter reduction for OAEP-I- or a variant 
thereof. 

7 Further Observations 

7.1 Other Variations of OAEP 

Instead of modifying OAEP as we did, one could also modify OAEP so that 
instead of adding the data-independent redundancy 0 ^^ in (JQ), one added the 
data-dependent redundancy H''(x), where H" is a hash function mapping n-bit 
strings to fci-bit strings. This variant of OAEP — call it OAEP' — suffers from 
the same problem from which OAEP suffers. Indeed, Theorem Q] holds also for 
OAEP'. 

7.2 RSA-OAEP with Exponent 3 Is Provably Secnre 

Consider RSA-OAEP. Let N be the modulus and e the encryption exponent. 
Then this scheme actually is secure in the random oracle model, provided < 
log 2 N/e. This condition is satisfied by typical implementations of RSA-OAEP 
with e = 3. 

We sketch very briefly why this is so. 

We first remind the reader of the attempted proof of security of OAEP in ^ 
and we adopt all the notation specified there. 

Suppose an adversary submits a ciphertext y to the decryption oracle. We 
observed in m that if the adversary never explicitly queried H{s), then with 
overwhelming probability, the actual decryption oracle would reject. The only 
problem was, we could not always say the same thing about G(r) (specifically, 
when r = r*). 

For a bit string v, let I(y) denote the unique integer such that u is a binary 
representation of I{v). 

If a simulated decryption oracle knows s (it will be one of the adversary’s 
i?-queries), then X = I{t) is a, solution to the equation 

{X + 2^°I{s)Y = y (mod A). 

To And I{t), we can apply Coppersmith’s algorithm |Cop96|| . This algorithm 
works provided I{t) < which is guaranteed by our assumption that fcg < 

log 2 N/e. 
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More precisely, for all s' G Sh, the simulated decryption oracle tries to find a 
corresponding solution t' using Coppersmith’s algorithm. If all of these attempts 
fail, then the simulator rejects y. Otherwise, knowing s and t, it decrypts y in 
the usual way. 

We can also apply Coppersmith’s algorithm in the step of the proof where we 
use the adversary to help us to extract a challenge instance of the RSA problem. 

Not only does this prove security, but we get a more efficient reduction — 
the implied inverting algorithm has a running time roughly equal to that of 
the adversary, plus 0{qo<lHTc), where Tc is the running time of Coppersmith’s 
algorithm. 

We can also use the same observation to speed up the reduction for exponent- 
3 RSA-OAEP+. The total running time of the implied inversion algorithm would 
be roughly equal to that of the adversary, plus 0{qHTc); that is, a factor of qn 
faster than the inversion algorithm implied by RSA-OAEP. Unlike the generic 
security reduction for OAEP+, this security reduction is essentially tight, and 
so it has much more meaningful implications for the security of the scheme when 
used with a typical, say, 1024-bit RSA modulus. 



7.3 RSA-OAEP with Large Exponent 

In our example in H4. 1 1 as well as in our proof of Theorem Q the adversary is 
able to create a valid ciphertext y without ever querying G(r). However, this 
adversary queries both H(s) and H{s*). As we already noted, the adversary 
must query H{s). But it turns out that if the adversary avoids querying G(r), 
he must query H{s*). This observation was made by lEUPSOOl . who then further 
observed that this implies the security of RSA-OAEP with arbitrary encryption 
exponent in the random oracle model. We remark, however, that the reduction 
in p’OPSflfi] is significantly less efficient than our general reduction for OAEP-I-. 
In particular, their reduction only implies that if an adversary has advantage e in 
breaking RSA-OAEP, then there is an algorithm that solves the RSA inversion 
problem with probability about e^. Moreover, their inversion algorithm is even 
somewhat slower than that of the (incorrect) inversion algorithm for OAEP in 
[IRP.94j . There is still the possibility, however, that a more efficient reduction for 
RSA-OAEP can be found. 

Acknowledgments. Thanks to Jean-Sebastien Coron for pointing out an error 
in a previous draft. Namely, it was claimed that the the variant OAEP' briefly 
discussed in o could also be proven secure, but this is not so. 
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Abstract. Recently Victor Shoup noted that there is a gap in the 
widely-believed security result of OAEP against adaptive chosen-cipher- 
text attacks. Moreover, he showed that, presumably, OAEP cannot be 
proven secure from the one-wayness of the underlying trapdoor permu- 
tation. This paper establishes another result on the security of OAEP. 
It proves that OAEP offers semantic security against adaptive chosen- 
ciphertext attacks, in the random oracle model, under the partial- domain 
one-wayness of the underlying permutation. Therefore, this uses a for- 
mally stronger assumption. Nevertheless, since partial-domain one-way- 
ness of the RSA function is equivalent to its (full-domain) one-wayness, 
it follows that the security of RSA-OAEP can actually be proven under 
the sole RSA assumption, although the reduction is not tight. 



1 Introduction 

The OAEP conversion method 0 was introduced by Bellare and Rogaway in 
1994 and was believed to provide semantic security against adaptive chosen- 
ciphertext attacks based on the one-wayness of a trapdoor permutation, 

using the (corrected) definition of plaintext-awareness |I| . 

Victor Shoup recently showed that it is quite unlikely that such a se- 
curity proof exists — at least for non-malleability — under the one-wayness of 
the permutation. He also proposed a slightly modified version of OAEP, called 
OAEP-b, which can be proven secure, under the one-wayness of the permutation. 

Does Shoup’s result mean that OAEP is insecure or that it is impossible to 
prove the security of OAEP? This is a totally misleading view: the result only 
states that it is highly unlikely to find any proof, under just the one-wayness 
assumption. In other words, Shoup’s result does not preclude the possibility of 
proving the security of OAEP from stronger assumptions. 

This paper uses such a stronger assumption. More precisely, in our reduc- 
tion, a new computational assumption is introduced to prove the existence of 
a simulator of the decryption oracle. Based on this idea, we prove that OAEP 
is semantically secure against adaptive chosen-ciphertext attack in the random 

J. Kilian (Ed.): CRYPTO 2001, LNCS 2139, pp. 2fiO- l?731 2001. 

© Springer- Verlag Berlin Heidelberg 2001 
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oracle model 0, under the partial- domain one-wayness of the underlying per- 
mutation, which is stronger than the original assumption. 

Since partial-domain one-wayness of the RSA function m is equivalent to 
the (full-domain) one-wayness, the security of RSA-OAEP can actually be proven 
under the one-wayness of the RSA function. 

The rest of this paper is organized as follows. Section |2| recalls the basic 
notions of asymmetric encryption and the various security notions. Section 0 
reviews the OAEP conversion 0 . Sections 0 and 0 present our new security 
result together with a formal proof for general OAEP applications. In Section 0 
we focus on the RSA application of OAEP, RSA-OAEP. 

2 Public-Key Encryption 

The aim of public-key encryption is to allow anybody who knows the public key 
of Alice to send her a message that only she will be able to recover it through 
her private key. 

2.1 Definitions 

A public-key encryption scheme is defined by the three following algorithms: 

— The key generation algorithm 1C. On input 1^, where k is the security pa- 
rameter, the algorithm K, produces a pair (pk,sk) of matching public and 
secret keys. Algorithm 1C is probabilistic. 

— The encryption algorithm £. Given a message m and a public key pk, £ 
produces a ciphertext c of m. This algorithm may be probabilistic. 

— The decryption algorithm T>. Given a ciphertext c and the secret key sk, T> 
returns the plaintext m. This algorithm is deterministic. 



2.2 Security Notions 

The first security notion that one would like for an encryption scheme is one- 
wayness: starting with just public data, an attacker cannot recover the complete 
plaintext of a given ciphertext. More formally, this means that for any adversary 
A, her success in inverting £ without the secret key should be negligible over 
the probability space M. x Q, where JA is the message space and £2 is the space 
of the random coins r used for the encryption scheme, and the internal random 
coins of the adversary: 

Succ°'"(M) = Pr [(pk, sk) ^ /C(l^) : M(pk, £aw{rn\ r)) = to]. 

m^r 

However, many applications require more from an encryption scheme, namely 
semantic security (a.k.a. polynomial security or indistinguishability of encryp- 
tions 0 , denoted IND): if the attacker has some information about the plaintext, 
for example that it is either “yes” or “no” to a crucial query, no adversary should 
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learn more with the view of the ciphertext. This security notion requires com- 
putational impossibility to distinguish between two messages, chosen by the ad- 
versary, one of which has been encrypted, with a probability significantly better 
than one half: her advantage Adv'"'^(^), where the adversary A is seen as a 2- 
stage Turing machine (^i, ^ 2 ), should be negligible, where Adv'"'^(^) is formally 
defined as. 



2 X Pr 

6,r 



(pk,sk) ^ /C(l''), (too, mi, s) ^ ^i(pk), 
c = £pk(mb; r) : ^ 2 (too, toi, s, c) = 6 



- 1 . 



Another notion was defined thereafter, the so-called non-malleahility jS|, in which 
the adversary tries to produce a new ciphertext such that the plaintexts are 
meaningfully related. This notion is stronger than the above one, but it is equiv- 
alent to semantic security in the most interesting scenario P^. 

On the other hand, an attacker can use many kinds of attacks: since we 
are considering asymmetric encryption, the adversary can encrypt any plain- 
text of her choice with the public key, hence chosen-plaintext attack. She may, 
furthermore, have access to more information, modeled by partial or full access 
to some oracles: a plaintext-checking oracle which, on input of a pair (m, c), 
answers whether c encrypts the message to. This attack has been named the 
Plaintext- Checking Attack CH; a validity-checking oracle which, on input of a 
ciphertext c, just answers whether it is a valid ciphertext. This weak oracle 
(involved in the reaction attacks 0) had been enough to break some famous 
encryption schemes ffl, namely PKCS vl.5; or the decryption oracle itself, 
which on the input of any ciphertext, except the challenge ciphertext, responds 
with the corresponding plaintext (non- adaptive/adaptive chosen- ciphertext at- 
tacks rroinn . The latter, the adaptive chosen-ciphertext attack denoted CCA2, 
is clearly the strongest one. 

A general study of these security notions and attacks was given in P, we 
therefore refer the reader to this paper for more details. However, the by now 
expected security level for public-key encryption schemes is semantic security 
against adaptive chosen-ciphertext attacks (IND-CCA2) - where the adversary 
just wants to distinguish which plaintext, between two messages of her choice, 
had been encrypted; she can ask any query she wants to a decryption oracle 
(except the challenge ciphertext). This is the strongest scenario one can define. 



3 Review of OAEP 

3.1 The Underlying Problems 

Consider permutation / : {0, 1}^ — {0, 1}^, which can also be seen as 

/ : {0, 1}"+'=! X {0, !}'=« ^ {0, 1}"+'=! X {0, 1}'=“, 

with k = n -\- ko -\- ki. In the original description of OAEP from P, it is only 
required that / is a trapdoor one-way permutation. However, in the following, 
we consider two additional related problems: the partial-domain one-wayness 
and the set partial-domain one-wayness of permutation /: 
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— (r, e)-One-Wayness of /, means that for any adversary A whose running 
time is bounded by t, the success probability Succ°™(^) is upper-bounded 
by £, where 

Succ°™(^) = Pr[^(/(s,t)) = (s,t)]; 

S,t 

— (r, e)-Partial-Domain One-Wayness of /, means that for any adversary A 
whose running time is bounded by r, the success probability 

is upper-bounded by e, where 

SuccP^-°™(^) = Pr[^(/(s,t)) = s]; 

S,t 

— {£, T, e)-Set Partial-Domain One-Wayness of /, means that for any adver- 

sary A that outputs a set of £ elements within time bound r, the success 
probability is upper-bounded by e, where 

Succ"-P^-°"'(^) = Pr[s G A{f{s,t))]- 

S,t 

We denote by Succ°'"(r), (resp. Succ'^'^“°™(t) and t)) the maximal 

success probability Succ°'"(^) (resp. and Succ^“'^''“°'"(^)). The 

maximum ranges over all adversaries whose running time is bounded by r. In 
the third case, there is an obvious additional restriction on this range from the 
fact that A outputs sets with £ elements. It is clear that for any r and £ > 1, 

Succ=-P''-°™(£,r) > SuccP''-™(r) > Succ™(r). 

Note that, by randomly selecting an element in the set returned by an ad- 
versary to the Set Partial-Domain One-Wayness, one breaks Partial-Domain 
One-Wayness with probability This provides the following 

inequality Succ'^'^~°™(r) > t)/£. However, for specific choices of 

/, more efficient reductions may exist. Also, in some cases, all three problems are 
polynomially equivalent. This is the case for the RSA permutation hence 
the results in section El 

3.2 The OAEP Cryptosystem 

We briefly describe the OAEP cryptosystem (IC,£,'D) obtained from a permu- 
tation /, whose inverse is denoted by g. We need two hash functions G and 
H: 

G : {0, 1}'=“ ^ {0, 1}'=-'=“ and H : {0, ^ {0, 1}'=“. 

Then, 

— /C(l^): specifies an instance of the function /, and of its inverse g. The public 
key pk is therefore / and the secret key sk is g. 

— fpk(m;r): given a message m G {0,1}", and a random value r ^ {0,1}^”, 
the encryption algorithm computes 

s = (m||0^^) 0 G{r) and t = r © H{s), 

and outputs the ciphertext c = /(s,t). 
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— 2?sk(c): thanks to the secret key, the decryption algorithm extracts 

(s, t) = g{c), and next r = t(B H{s) and M = s 0 G(r). 

If = 0^“^, the algorithm returns [M]”, otherwise it returns “Reject”. 

In the above description, [M]^^ denotes the k\ least significant bits of M, while 
[M]" denotes the n most significant bits of M . 

4 Security Result 

In their paper Bellare and Rogaway provided a security analysis, which 
proved that the OAEP construction together with any trapdoor one-way per- 
mutation is semantically security and (weakly) plaintext-aware. Unfortunately, 
this just proves semantic security against non-adaptive chosen-ciphertext attacks 
{a.k.a. lunchtime attacks m or IND-CCAl). Even if the achieved security was 
believed to be stronger (namely IND-CCA2), it had never been proven. Thus, 
Shoup PS] recently showed that it is quite unlikely that such a security proof 
exists, for any trapdoor one-way permutation. However, he provided a specific 
proof for RSA with public exponent 3. 

In the following, we provide a general security analysis, but under a stronger 
assumption about the underlying permutation. Indeed, we prove that the scheme 
is IND-CCA2 in the random oracle model |2j, relative to the partial- domain one- 
wayness of function /. More precisely, the following exact security result holds. 

Theorem 1. Let A be a CCA2-adversary against the “semantic security” of the 
OAEP conversion {K.,£,T)), with advantage e and running time t, making qjj, 
qc and qn queries to the decryption oracle, and the hash functions G and H 
respectively. Then, Succ^'^~°™(P) is greater than 



where t' < t qa ■ qn ■ {Tf + 0(1)), and Tf denotes the time complexity of 
function f. 

In order to prove this theorem relative to the partial-domain one-wayness of the 
permutation, one can use the related notion of set partial-domain one-wayness. 
The theorem follows from the inequalities of the previous section together with 
the lemma stated below. 

Lemma 2. Let A be a CCA2-adversary against the “semantic security” of the 
OAEP conversion {K.,£,T>), with advantage e and running time t, making qo, 
qo and qn queries to the decryption oracle, and the hash functions G and El 
respectively. Then, SucG~'^^~°'*'(qH,t') is greater than 




‘^goPG + qo + go ‘^qo 



2 



2ko 



2ki 
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where t' < t + qc ■ Qh ■ {Tf + 0(1)), and Tf denotes the time complexity of 
function f. 

The next section is devoted to proving this lemma. Hereafter, we will repeatedly 
use the following simple result: 

Lemma 3. For any probability events E, F and G 

Pr[EAF|G|<|(:;P[^,(''=l 
5 Proof of Lemma |2] 

We prove lemma |2| in three stages. The first presents the reduction of IND- 
CCA2 adversary A to algorithm B for breaking the partial-domain one-wayness 
of /. Note that, in the present proof, we are just interested in security under 
the partial-domain one-wayness of /, and not under the full-domain one-wayness 
of / as in the original paper Q. The second shows that the decryption oracle 
simulation employed in this reduction works correctly with overwhelming prob- 
ability under the partial-domain one-wayness of /. This latter part differs from 
the original proof , and corrects the recently spotted flaw Finally, we an- 
alyze the success probability of our reduction in total, through the incorporation 
of the above-mentioned analysis of the decryption oracle simulation. 

5.1 Description of the Reduction 

In this first part, we recall how reduction operates. Let A = (^ 1 ,^ 2 ) be an 
adversary against the semantic security of {K,E,T>), under chosen-ciphertext 
attacks. Within time bound t, A asks qd, Pg and qn queries to the decryption 
oracle and the random oracles G and respectively, and distinguishes the right 
plaintext with an advantage greater than e. Let us describe the reduction B. 

Top Level Description of the Reduction 

1. is given a function / (defined by the public key) and c* ■<— /(s*,f*), 
for (s*,t*) ^ {0,1}^“^° X {0,1}^°. The aim of B is to recover the partial 
pre-image s* of c*. 

2. B runs A\ on the public data, and gets a pair of messages {too,toi} as well 
as state information st. It chooses a random bit b, and then gives c* to A\, 
as the ciphertext of mt,. B simulates the answers to the queries of Ai to 
the decryption oracle and random oracles G and F[ respectively. See the 
description of these simulations below. 

3. B runs A 2 {c*,sf) and finally gets answer b' . B simulates the answers to 
the queries of A 2 to the decryption oracle and random oracles G and H 
respectively. See the description of these simulations below. B then outputs 
the partial pre-image s* of c*, if one has been found among the queries asked 
to F[ (see below), or the list of queries asked to F[. 
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Simulation of Random Oracles G and H. The random oracle simulation 
has to simulate the random oracle answers, managing query/answer lists G-List 
and H-List for the oracles G and H respectively, both are initially set to empty 
lists: 

— for a fresh query 7 to G, one looks at the H-List, and for any query 6 asked to 
H with answer Hs, one builds z = 7 © and checks whether c* = f{S,z). 
If for some <5, that relation holds, function / has been inverted, and we can 
still correctly simulate G, by answering G-y = 5 © (mh||0^i). Note that Gy is 
then a uniformly distributed value since S = s*, and the latter is uniformly 
distributed. Otherwise, one outputs a random value Gy. In both cases, the 
pair (7, Gy) is concatenated to the G-List. 

~ for a fresh query S to H, one outputs a random value Hs, and the pair {S, Hs) 
is concatenated to the H-List. Note that, once again, for any (7, Gy) G G-List, 
one may build 2 = 7© Hs, and check whether c* = f(S,z). If for some 7 
that relation holds, we have inverted the function /. 

Simulation of the Decryption Oracle. On query c = f{s,t) to the de- 
cryption oracle, decryption oracle simulation T>S looks at each query-answer 
(7, Gy) G G-List and (5,Hs) G H-List. For each pair taken from both lists, it 
defines 

cr = (5, T = 7 © Hs, /i = Gy © i5, 

and checks whether 

c = /(cr,r) and [/r]fci = 

As soon as both equalities hold, T>S outputs [/x]". If no such pair is found, 
“Reject” is returned. 

Remarks. When we have found the pre-image of c*, and thus inverted /, we 
could output the expected result s* and stop the reduction. But for this analysis, 
we assume the reduction goes on and that B only outputs it, or the list of queries 
asked to H, once A 2 has answered b' (or after a time limit). 

Even if no answer is explicitly specified, except by a random value for new 
queries, some are implicitly defined. Indeed, c* is defined to be a ciphertext of 
nib with random tape r*: 

r* ^ H{s*) © t* and G{G) ^ s* © (mt,||0'=i). 

Since H{s*) is randomly defined, r* can be seen as a random variable. Let us 
denote by AskG the event that query r* has been asked to G, and by AskH 
the event that query s* has been asked to H. Let us furthermore denote by 
GBad the event that r* has been asked to G, but the answer is something other 
than s* © (mt,||0^i) (bit b is fixed in the reduction scenario). Note that the 
event GBad implies AskG. As seen above, GBad is the only event that makes the 
random oracle simulation imperfect, in the chosen-plaintext attack scenario. In 
the chosen-ciphertext attack scenario, we described a decryption simulator that 
may sometimes fail. Such an event of decryption failure will be denoted by DBad. 
We thus denote Bad = GBad V DBad. 
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5.2 Notations 

In order to proceed to the analysis of the success probability of the above- 
mentioned reduction, one needs to set up notations. First, we still denote with 
a star (*) all variables related to the challenge ciphertext c*, obtained from the 
encryption oracle. Indeed, this ciphertext, of either mo or mi, implicitly defines 
hash values, but the corresponding pairs may not appear in the G or H lists. 
All other variables refer to the decryption query c, asked by the adversary to 
the decryption oracle, and thus to be decrypted by this simulation. We consider 
several further events about a ciphertext queried to the decryption oracle: 

— CBad denotes the union of the bad events, CBad = RBad V SBad, where 

• SBad denotes the event that s = s*; 

• RBad denotes the event that r = r*, and thus H{s) (Bt = H{s*) © t*; 

— AskRS denotes the intersection of both events about the oracle queries, 
AskRS = AskR A AskS, which means that both r and s have been asked 
to G and H respectively, since 

• AskR denotes the event that r (= H{s) © t) has been asked to G; 

• AskS denotes the event that s has been asked to H\ 

— Fail denotes the event that the above decryption oracle simulator outputs a 
wrong decryption answer to query c. (More precisely, we may denote Faib for 
event Fail on the *-th query Ci (i = 1, . . . , qo)- For our analysis, however, we 
can evaluate probabilities regarding event Faib in a uniform manner for any 
i. Hence, we just employ notation Fail.) Therefore, in the global reduction, 
the event DBad will be set to true as soon as one decryption simulation fails. 

Note that the Fail event is limited to the situation in which the plaintext- 
extractor rejects a ciphertext whereas it would be accepted by the actual decryp- 
tion oracle. Indeed, as soon as it accepts, we see that the ciphertext is actually 
valid and corresponds to the output plaintext. 

5.3 Analysis of the Decryption Oracle Simulation 

We analyze the success probability of decryption oracle simulator VS. 

Security Claim. We claim the following, which repairs the previous proof |2|, 
based on the new computational assumption. More precisely, we show that addi- 
tional cases to consider, due to the corrected definition of plaintext-awareness P , 
are very unlikely under the partial-domain one-wayness of the permutation /: 

Lemma 4. When at most one ciphertext c* = f{s*,t*) has been directly ob- 
tained from the encryption oracle, but s* has not been asked to H , the decryp- 
tion oracle simulation VS can correctly produce the decryption oracle’s output 
on query (ciphertext) c c*) with probability greater than e' , within time bound 
t' , where 

e' > 1 - ^ {Tf + 0(1)) . 
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Before we start the analysis, we recall that the decryption oracle simulator 
is given the ciphertext c to be decrypted, as well as the ciphertext c* obtained 
from the encryption oracle and both the G-List and H-List resulting from the in- 
teractions with the random oracles G and H. Let us first see that the simulation 
uniquely defines a possible plaintext, and thus can output the first one it finds. 
Indeed, with the above definition, several pairs could satisfy the equalities. How- 
ever, since function / is a permutation, and thus one-to-one, the value of cr = s 
is uniquely defined, and thus S and Hs- Similarly, t = t is uniquely defined, and 
thus 7 and G^: at most one fj, may be selected. Then either = 0^^ or not. 

In the above, one should keep in mind that the G-List and H-List correspond 
to input-output pairs for the functions G and H . Thus, at most one output is 
related to a given input. 

If the ciphertext has been correctly built by the adversary (r has been asked 
to G and s to H), the simulation will output the correct answer. However, it will 
output “Reject” in any other situation, whereas the adversary may have built a 
valid ciphertext without asking both queries to the random oracles G and H. 



Success Probability. Since our goal is to prove the security relative to the 
partial-domain one-wayness of /, we are only interested in the probability of the 
event Fail, while ^AskH occurred, which may be split according to other events. 
Granted -iGBad A AskRS, the simulation is perfect, and cannot fail. Thus, we 
have to consider the complementary events: 

Pr[Fail | ^AskH] = Pr[Fail A GBad | ^AskH] -k Pr[Fail A ^GBad A ^AskRS | ^AskH]. 

Concerning the latter contribution to the right hand side, we first note that both 

-lAskRS = ->AskR V -•AskS = (-•AskR) V (^AskS A AskR) 

^GBad = ^RBad A ->SBad. 

Forgetting ->AskH for a while, using lemma 0 one gets that Pr[Fail A ->GBad A 
^AskRS] is less than 

Pr[Fail A -iRBad A -•AskR] + Pr[Fail A ->SBad A (AskR A -•AskS)] 

< Pr[Fail I ^AskR A ^RBad] + Pr[AskR | -lAskS A ->SBad]. 

But without having asked r to G, taking into account the further event ->RBad, 
G{r) is unpredictable, and thus the probability that [s © G{r)]k^ = 0^^ is less 
than On the other hand, the probability of having asked r to G, without 

any information about H{s) and thus about r {H(s) not asked, and s ^ s*, 
which both come from the conditioning ^AskS A -iSBad), is less than qc ■ 2~^°. 
Furthermore, this event is independent of AskH, which yields 

Pr[Fail A ^GBad A ^AskRS | ^AskH] < + go ■ . 

We now focus on the former term. Fail A GBad, while ^AskH, which was 
missing in the original proof P| based on a weaker notion of plaintext-awareness. 
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It can be split according to the disjoint sub-cases of CBad, which are SBad and 
-•SBad A RBad. Then again using lemma 0 

Pr[Fail A CBad | ^AskH] < Pr[Fail | SBad A ^AskH] -F Pr[RBad | -SBad A -AskH], 

The latter event means that RBad occurs provided s ^ s* and the adversary has 
not queried s* from H. When s* has not been asked to H and s ^ s*, H{s*) is 
unpredictable and independent of H{s) as well as t and t*. Then, event RBad, 
H{s*) = iJ(s) © t © t*, occurs with probability at most 

The former event can be further split according to AskR, and, using once 
again lemma 0, it is upper-bounded by 

Pr[AskR I SBad A — AskFI] + Pr[Fail | —AskR A SBad A — AskFI]. 

The former event means that r is asked to G whereas s = s* and H{s*) is 
unpredictable, thus H{s) is unpredictable. Since r is unpredictable, the proba- 
bility of this event is at most qc ■ 2~^° (the probability of asking r to G). On 
the other hand, the latter event means that the simulator rejects the valid ci- 
phertext c whereas H{s) is unpredictable and r is not asked to G. From the 
one-to-one property of the Feistel network, it follows from s = s* that r ^ r*, 
and thus G(r) is unpredictable. Then the redundancy cannot hold with proba- 
bility greater than To sum up, Pr[Fail | SBad A —AskFI] < 2~^^ + qc ■ 
thus Pr[Fail A CBad | -AskH] < 2"'=i + {qa + 1) • 

As a consequence, 

Pr[FailhAskH]< A + 

The running time of this simulator includes just the computation of f{a, t) for 
all possible pairs and is thus bounded hy qc ■ qn ■ {T f + 0{1)) . 

5.4 Success Probability of the Reduction 

This subsection analyzes the success probability of our reduction with respect 
to the advantage of the IND-CCA2 adversary. The goal of the reduction is, given 
c* = /(s*,t*), to obtain s* . Therefore, the success probability is obtained by 
the probability that event AskH occurs during the reduction (he., Pr[AskH] < 
, F), where t' is the running time of the reduction). 

We thus evaluate Pr[AskH] by splitting event AskH according to event Bad. 

Pr[AskH] = Pr[AskH A Bad] + Pr[AskH A —Bad]. 

First let us evaluate the first term. 

Pr[AskH A Bad] = Pr[Bad] — Pr[— AskH A Bad] 

> Pr[Bad] — Pr[— AskH A CBad] — Pr[— AskH A DBad] 

> Pr[Bad] - Pr[GBad ] -AskH] - Pr[DBad ] -AskH] 
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> Pr[Bad] - Pr[AskG | ^AskH] - Pr[DBad | ^AskH] 



> Pr[Bad] — 



qa 


- qo 


' 2 


2qg + 1 


2^=0 


2^0 


+ qo + qc 


‘^qo 




2^0 




2fci • 



Here, Pr[DBad | ^AskH] < qjj (2 ■ 2 + {2qc + 1) • 2 is directly obtained 

from lemma El and Pr[GBad | ^AskH] < Pr[AskG I -lAskH] is obtained from the 
fact that event GBad implies AskG. When ^AskH occurs, H{s*) is unpredictable, 
and r* = t* © H{s*) is also unpredictable. Hence Pr[AskG | ->AskH] < qo ■ 2~^°. 

We then evaluate the second term. 



Pr[AskH A -Bad] = Pr[-Bad] • Pr[AskH | -Bad] 

> Pr[— Bad] • Pr[^ = b A AskH j —Bad] 

> Pr[-Bad] • (Pr[^ = b \ -Bad] - Pr[^ = 6 A -AskH ] -Bad]) . 

Here, when —AskH occurs, H{s*) is unpredictable, thus r* = © H{s*) is 

unpredictable, and so is b as well. This fact is independent from event —Bad. 
Hence Pr[^ = 6A— AskH j —Bad] < Pr[^ = b \ —AskH A— Bad] = 1/2. Furthermore, 

^ + - < Pr[^ = b] < Pr[^ = b \ —Bad] • Pr[— Bad] + Pr[Bad]. 



Therefore, 



PrIAskH A .Bad] > (| + 1 - Pr|Bad]) - 

Combining the evaluation for the first and second terms, and from the fact that 
Pr[Bad] > 0, one gets 



Pr[AskH] > I 



2g£)gG + qp + go 

2ko 



29d 



5.5 Complexity Analysis 

Note that during the execution of B, for any new G-query 7 , one has to look at 
all query-answer pairs (S,Hs) in the H-List, and to compute s = S, t = j (B Hg 
as well as /(s, t). 

Apparently, one should perform this computation again to simulate the de- 
cryption of any ciphertext. Proper bookkeeping allows the computation to be 
done once for each pair, when the query is asked to the hash functions. Thus, 
the time complexity of the overall reduction is t' = t + qc ■ qn ■ {Tf + 0{1)), 
where Tf denotes the time complexity for evaluating function /. 



RSA-OAEP Is Secure under the RSA Assumption 271 



6 Application to RSA-OAEP 

The main application of OAEP is certainly the famous RSA-OAEP, which has 
been used to update the PKCS #1 standard m- In his paper uni, Shoup was 
able to repair the security result for a small exponent, e = 3, using Coppersmith’s 
algorithm from |^. However, our result can be applied to repair RSA-OAEP, 
regardless of the exponent; thanks to the random self-reducibility of RSA, the 
partial-domain one-wayness of RSA is equivalent to that of the whole RSA prob- 
lem, as soon as a constant fraction of the most significant bits (or the least 
significant bits) of the pre-image can be recovered. 

We note that, in the original RSA-OAEP |2|, the most significant bits are 
involved in the H function, but in PKCS #1 standards v2.0 and v2. 1 d and 
RFC2437, the least significant bits are used: the value maskedSeed||maskedDB 
is the input to /, the RSA function, where maskedSeed plays the role of t, and 
masked DB the role of s. But we insist on the fact that the following result holds 
in both situations (and can be further extended). 

One may also remark that the following argument can be applied to any 
random (multiplicatively) self-reducible problem, such as the Rabin function. 
Before presenting the final reduction, let us consider the problem of finding 
small solutions for a linear modular equation. 

Lemma 5. Consider an equation t+au = c mod N which has solutions t and u 
smaller than . For all values of a, except a fraction of them, (t,u) 

is unique and can he computed within time bound 0{{logN)^). 

Proof. Consider the lattice 

L{a) = {{x,y) £ \ x — ay = 0 mod N}. 

We say that L{a) is an £-good lattice (and that a is an £-good value) if there 
is no non-zero vector of length at most £ (with respect to the Euclidean norm) . 
Otherwise, we use the wording Obad lattices (and £-bad values respectively). It 
is clear that there are approximately less than such Obad lattices, which we 
bound by Indeed, each bad value for a corresponds to a point with integer 
coordinates in the disk of radius £. Thus, the proportion of bad values for a is 
less than 4^^/iV. 

Given an ^-good lattice, one applies the Gaussian reduction algorithm. One 
gets within time 0((logfV)^) a basis of L{a) consisting of two non-zero vectors 
U and V such that 



\\U\\<\\V\\and\{U,V)\<\\Ur/2. 



Let T be the point (t, u), where (t, u) is a solution of the equation t + au = 
c mod N, with both t and u less than 2^“ : 



T = XU + fiV, for some real A, y. 
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||Tf = A^llC/f + + 2XKU, V) > (A^ + _ A^) X ||C/f 

> ((A - ^^/2f + 3AiV4) X ||[/f > 3AiV4 x ||C/f > 

Since furthermore we have ||T||^ < 2 x 

2\/2 • 2^“ 2\/2 • 

ImI < yg ^ : and |A| < ^ ^ by symmetry. 

Assuming that we have set from the beginning i = 2^“+^ > 2^“+^ -^2/3, then 



Choose any integer solution Tq = (to,uo) of the equation simply by picking a 
random integer uq and setting tg = c — auo mod JV. Write it in the basis (U,V): 
Tq = pU + aV using real numbers p and cr. These coordinates can be found, so 
T — Tq is a solution to the homogeneous equation, and thus indicate a lattice 
point: T — Tq = all + bV, with unknown integers a and b. But, 

T =TQ + aU + bV = (a + p)U + {b+ a)V = XU + pV, 

with —1/2 < X, p < 1/2. As a conclusion, a and b are the closest integers to —p 
and — cr respectively. With o, b, p and cr, one can easily recover A and p and thus 
t and u, which are necessarily unique. □ 



Lemma 6. Let A be an algorithm that outputs a q-set containing k — Lq of the 
most significant bits of the e-th root of its input (partial- domain RSA, for any 
2^“i < iV < 2^, with k > 2ko), within time bound t, with probability e. There 
exists an algorithm B that solves the RSA problem {N, e) with success probability 
e' , within time bound t' where 

s' > ex (e-22'=»-'=+6), 

t' <2t + q^ X 0{k^). 

Proof. Thanks to the random self-reducibility of RSA, with part of the bits of 
the e-th root of A = (a; • 2^“ -|- r)® mod N, and the e-th root of T = Aa® = 
{y ■ 2^° s)® mod A, for a randomly chosen a, one gets both x and y. Thus, 

{y ■ 2^° -1- s) = a X (a: • 2^° -|- r) mod N 
ar — s = {y — xa) x 2^° mod N 

which is a linear modular equation with two unknowns r and s which is known 
to have small solutions (smaller than 2^°). It can be solved using lemma 0 
Algorithm B just runs twice A, on inputs A and Aa® and next runs the 
Gaussian reduction on all the q^ pairs of elements coming from both sets. If the 
partial pre-images are in the sets, they will be found, unless the random a is 
bad {cf. the Gaussian reduction in lemma 0) □ 
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Remark 7. The above lemma can be extended to the case where a constant frac- 
tion 0 of the leading or trailing bits of the e-th root is found. The reduction 
runs 1/0 times the adversary A, and the success probability decreases to ap- 
proximately Extensions to any constant fraction of consecutive bits are 

also possible. Anyway, in PKCS v2.0, fcp is much smaller than k/2. 



Theorem 8. Let A he a CCA2-adversary against the “semantic security” of 
RSA-OAEP (with a k-bit long modulus, with k > 2ko), with running time 
bounded by t and advantage e, making qd, Qg (ind qn queries to the decryption 
oracle, and the hash functions G and H respectively. Then, the RSA problem 
can be solved with probability e' greater than 

_ / 2qpqG + qp + qg 32 \ 

4 ^ ^ 2^0 2^1 2'=“2fco J 

within time bound t' <2t + qn ■ {qn + 2qG) x 0{kf’). 

Proof. Lemma 0 states that 

> I - ‘^^DqG + qD + qG _ 2qo ^ 

with t” < t + qc ■ qn ■ {Tf + 0{1)), and Tf = 0{k^). Using the previous results 
relating qn-set partial-domain-RSA and RSA, we easily conclude. □ 

7 Conclusion 

Our conclusion is that one can still trust the security of RSA-OAEP, but the 
reduction is more costly than the original one. However, for other OAEP ap- 
plications, more care is needed, since the security does not actually rely on the 
one-wayness of the permutation, only on its partial-domain one-wayness. 

Acknowledgments. We thank Victor Shoup, Don Coppersmith and Dan 
Boneh for fruitful comments. 
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Abstract. Optimal Asymmetric Encryption Padding (OAEP) is a tech- 
nique for converting the RSA trapdoor permutation into a chosen cipher- 
text secure system in the random oracle model. OAEP padding can be 
viewed as two rounds of a Feistel network. We show that for the Rabin 
and RSA trapdoor functions a much simpler padding scheme is sufficient 
for chosen ciphertext security in the random oracle model. We show that 
only one round of a Feistel network is sufficient. The proof of security 
uses the algebraic properties of the RSA and Rabin functions. 



1 Introduction 

In an influential paper Bellare and Rogaway [2] introduced the Optimal Asym- 
metric Encryption Padding (OAEP) system. OAEP is most commonly used for 
strengthening the RSA and Rabin encryption schemes. OAEP is widely deployed 
and appears in several standards. Shoup [11] recently described a modification 
to OAEP called OAEP-f that provably converts any trapdoor permutation into a 
chosen ciphertext secure system in the random oracle model. Shoup also showed 
that applying OAEP to the RSA permutation with public exponent e = 3 gives 
a chosen ciphertext secure system in the random oracle model. Fujisaki et al. [8] 
were able to extend the result and prove that the same holds for the RSA per- 
mutation with any RSA public exponent e. 

We show that for the RSA and Rabin systems, much simpler padding schemes 
can be shown to be chosen ciphertext secure in the random oracle model. We 
introduce two simple padding schemes. The first is called Simple-OAEP, or SAEP 
for short. The second is called SAEP+. We note that simplifying the padding 
scheme makes the system easier to describe and easier to implement, and thus is 
more elegant. Simplifying the padding scheme has little bearing on performance 
since padding time is negligible compared to public key operations. 

We begin by describing SAEP and SAEP+ padding (see Figure 1). Let M be a 
message M G {0, 1}™ and let r be a random string r G {0, 1}®L Let H be a hash 
function from {0, l}'*^ to {0, Ij^+^o. Let G be a hash function from {0, l}™+'*i 
to {0, 1}^°. Define the new padding schemes SAEP and SAEP+ as follows: 
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SAEP(M,r) = ((M|| ® H{r)) \\ r 

SAEP+(M,r) = ((M|| G{M\\r) ) ® H{r)) || r 

These padding schemes are to be used as preprocessing functions with the Rabin 
or RSA trapdoor functions. To encrypt a message M G {0, 1}*” first pick a 
random r G {0, l}^b compute y = SAEP(M,r), and set C = y^ mod JV or 
C = y'^ mod N for some RSA exponent e. 

Both schemes provide security against an adaptive chosen ciphertext attack 
in the random oracle model for appropriate values of m, sq, si. Let N be an n-bit 
modulus. We prove the following results for the Rabin and RSA functions: 
SAEP: Let Rabin-SAEP be the encryption scheme resulting from combining 
SAEP with the Rabin trapdoor function, f{x) = mod N (as described in the 
next section). We show that Rabin-SAEP provides chosen ciphertext security 
whenever m-Pso < ''^/2 and m < n/4. Security is based on the hardness of fac- 
toring large RSA composites. The reduction is very efficient. It is based entirely 
on applying Coppersmith’s algorithm [6] to quadratic and quartic polynomi- 
als. SAEP works well with the Rabin function, but is hard to use with RSA, as 
explained in Section 4. 

SAEP+: Both RSA-SAEP+ (for any RSA exponent e) and Rabin-SAEP+ can be 
shown to be chosen ciphertext secure whenever m -P sq < n/2. The reduction 
to factoring for Rabin-SAEP+ is extremely efficient. The proof is based on 
Coppersmith’s algorithm. For RSA-SAEP+ the reduction to breaking RSA is 
less efficient. Its running time is similar to the running time of the reduction 
in the proof of security for RSA-OAEP [8]. 

SAEP+ is more flexible than SAEP in a number of ways. First, SAEP+ can be 
used with both Rabin and RSA (although Rabin is preferred). Second, SAEP+ 
can encrypt messages of longer size. For example, when using a 1024 bit mod- 
ulus (n = 1024) one often takes sq = 128 for proper security. In this case, the 
maximum message length in SAEP is 256 bits. In SAEP+ the maximum length 
is 384 bits. Note that since a 1024-bit modulus is often used for transporting a 
128-bit session- key, both SAEP and SAEP+ are adequate for this purpose. 

In some cases it might be desirable to allow for longer messages to be en- 
crypted with SAEP+. In Section 5 we note that the proof of security for RSA- 
SAEP+ can be extended so that the scheme is secure whenever m-Pso < n(l — 15) 
for any fixed 5 > 0. This means M could be almost as long as the modulus. How- 
ever, the efficiency of the reduction to breaking RSA degrades exponentially in 
j. Hence, throughout the paper we stick with 5 = 1/2. The extended proof is 
based on solutions to the Hidden Number Problem [4] modulo a composite. 

Both SAEP and SAEP+ work best with the Rabin function. The resulting 
systems are better than their RSA counterparts in all aspects: (1) encryption 
is slightly faster, (2) the reduction given in the security proof is more efficient, 
and (3) security relies on the difficulty of factoring rather than the difficulty of 
inverting the RSA permutation. 
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SAEP padding 




SAEP+ padding 



Fig. 1. SAEP and SAEP^ padding 



Comparison of OAEP and SAEP. OAEP, presented by Bellare and Rogaway, 
and OAEP+, presented by Shoup, both provide chosen ciphertext security for 
the RSA trapdoor permutation (although OAEP+ has a more efficient security 
proof). These padding schemes are defined as follows: 

OAEP(M,r) = ( (M||0"“) © H{r) ) || (r © G( (M||0«“) © H{r) )) 

OAEP+(M, r) = ( (M © H{r)) || W{M, r) ) || (r © G( (M © H{r)) || W{M, r ) )) 

where H, G, W are hash functions. Schematically both OAEP and OAEP© look 
like two rounds of a Feistel network. Clearly the new padding schemes, SAEP 
and SAEP+ are simpler. These new schemes are only a single round of a Feistel 
network. 

Although the new padding schemes are simpler than OAEP, they are slightly 
more restrictive. Using OAEP and OAEP© one can encrypt messages that are 
almost as long as the modulus. For example, for a 1024-bit modulus it is safe 
to encrypt messages that are 768-bits long. In contrast, using the same modulus 
size, SAEP+ can only encrypt 384-bit messages. This difference is irrelevant for 
common applications (e.g. key transport), but is worth pointing out. 



1.1 Chosen Ciphertext Security 

Adaptive chosen ciphertext security is the accepted notion for secure encryption. 
We have confidence in this notion since it captures a wide range of attacks, 
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and is equivalent to several other useful security notions [7,3]. We present the 
definition due to Rackoff and Simon [12]. Define a (f, qo) chosen ciphertext attack 
algorithm ^ as a t-time algorithm that interacts with a challenger as follows: 
Setup: The challenger generates a public/private key pair. It gives the public 
key to the attacker A and keeps the private key to itself. 

Phase I: The attacker A issues decryption queries for various ciphertexts C. 

The challenger responds with the decryption of all valid ciphertexts. 
Challenge: At some point algorithm A outputs two messages Mq , Mi . The 
challenger responds with a ciphertext C* which is the encryption of Mf, where 
b is randomly chosen in {0,1}. 

Phase II: The attacker A continues to issue decryption requests C, subject to 
the constraint C yf C*. Finally algorithm A terminates and outputs b' G (0, 1}. 
We say that the attacker is successful if 6 = b'. During the attack the attacker 
is allowed to make at most qzy decryption queries. We define the adversary’s 
advantage as: adv(A) = |Pr[& = &'] — i| 

We say that a system is (t, e, qo) secure if no {t, qo) attacker has advantage more 
than e. 

Random oracles: To analyze the security of certain natural constructions Bellare 
and Rogaway introduced an idealized world called the random oracle model [1]. 
A system that has chosen ciphertext security in this idealized world is said to 
be chosen ciphertext secure in the random oracle model. Security in the random 
oracle model does not imply security in the real world [5]. Nevertheless, the ran- 
dom oracle model is a useful tool for validating natural constructions. Given an 
encryption scheme using hash functions Hi, , i7„ we use {t,qo, qn^ ■,■■■, dH„ ) 
to denote a (t, qo) chosen ciphertext attacker that makes at most queries to 
the hash function Hi. 



1.2 Coppersmith’s Algorithm 

The proofs of security for SAEP and SAEP+ are based on an important result 
due to Coppersmith [6]. Coppersmith proved the following theorem: 

Theorem 1 (Coppersmith). Let N be an integer and let f{x) G 1in[x\ he a 
monic polynomial of degree d. Then there is an efficient algorithm to find all 
xo gZ such that f{xo) = 0 mod N and [xq] < 

We denote by Tc{N,d) the running time of Coppersmith’s algorithm when 
finding roots of a polynomial / G Z[x] of degree d. In our proofs we only apply 
Coppersmith’s algorithm to quadratic and quartic polynomials. 



2 Full Description of SAEP and SAEP+ 

We now give a full description of the SAEP and SAEP+ systems for RSA and 
Rabin. We first describe these schemes as they apply to the Rabin function. 
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In doing so we deal with complications that arise from the fact that f{x) = 
mod N is not a permutation of Let m, sq,si be security parameters. 
Set n = m + So + Si- We will make use of a hash function H : {0, — >■ 

{0, l}™+so Rabin-SAEP system is composed of three algorithms: key-gen, 
encrypt, decrypt. We describe each of these algorithms in turn: 

key-gen: The key generation algorithm takes a security parameter n and produces 
an (n -I- 2)-bit RSA modulus N = pq where p and q are (n/2 -|- l)-bit primes. 
We require that p = q = 3 mod 4. We also require that N G [2”+^, 2”+^ + 2"), 
i.e. that the two most significant bits of N are ‘10’. Any of the standardized 
methods can be used to generate p and q [9]. The public key is N. The private 
key is the factorization of IV, namely (p, q) . 
encrypt: We wish to encrypt a message M G {0, 1}™: 

Step 1: Pick a random r G {0, . 

Step 2: Set t 

Step 3: Set v = M\\t G {0, 

Step 4: Set x = v (B H{r). 

Step 5: Set y = x\\r G {0, 1}”. We view y as an n-bit integer. 

Note that y < N/2. 

Step 6: Define the ciphertext C as C = y"^ mod N. 
decrypt: Given a ciphertext C G Z^r we decrypt using the steps below. We let A 
and B be the Chinese Remainder coefficients, i.e. A is 1 mod p and 0 mod q, 
and B is 0 mod p and 1 mod q. 

Step 1: Compute Zp = mod p and Zq = mod q. 

Since p = q = 3 mod 4 it follows that Zp, Zq are square roots of C in Zp, Z^ 
respectively. 

Step 2: Test that Zp = C mod p and Zq = C mod q. If either condition does not 
hold, then C is not a quadratic residue in Z^v. Reject this (7 as an invalid 
ciphertext. 

Step 3: Set y\ = A ■ Zp + B ■ Zq mod N and j /2 = A ■ Zp — B ■ Zq mod N. The 
four square roots of C mod N are ±yi and ±?/ 2 - Two of these four roots 
must be greater than N/2 and hence can be discarded. Let yi,y 2 be the 
two remaining square roots. If neither of t/i, 7/2 is in [0, 2") then reject C as 
an invalid ciphertext. Without loss of generality we assume both yi,y 2 are 
in [0,2”). 

Step 4: View both yi and 7/2 as strings in {0,1}”. Write 7/1 = xi||ri and 
7/2 = X 2 \\r 2 with Xi,X 2 G (0, Ij^+'^o and ri, r 2 G (0, l}®i . 

Step 5: Set v\ = x\(B H{ri) and ^2 = X 2 © H{r 2 ). 

Step 6: Write vi = Mi\\ti and V 2 = M 2 ||t 2 where Mi, M 2 G {0,1}’” and 
ti,t2 G {0,1}«© 

Step 7: For i = 1, 2 test if ti is equal to 0’’°. If this condition holds for either 
none or both of V\,V 2 then reject C as an invalid ciphertext. 

Step 8: Let i G {1,2} be the unique i for which the condition of Step 7 holds. 
Output Mi as the decryption of C. 
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Note that in Step 7, if both ti and t 2 are equal to the decryptor cannot 
choose between them. Hence, in this case the ciphertext is rejected. This means 
that with very low probability, namely 2“^*°, a valid ciphertext might be rejected 
by the decryptor (recall that typically sq > 128). For most applications such low 
error probabilities can be ignored. One concern is whether a malicious encryptor 
can create a valid ciphertext that will be rejected by the decryptor in Step 7. 
It is easy to show that in the random oracle model the encryptor would have 
to spend expected time 0(2®°) to create such a ciphertext. This is sufficient for 
most applications. We note that if a negligible error probability is unacceptable 
then the encryptor could keep choosing random r’s until y has Jacobi symbol 1. 
This enables the decryptor to select the correct square root by choosing the 
unique root yi G [0,2") with Jacobi symbol 1. However, this is unnecessary and 
makes the scheme less efficient. 

During decryption invalid ciphertexts can be rejected in Steps 2 and 3 as well 
as in Step 7. Manger [10] points out the importance of preventing an attacker 
from distinguishing between rejections at the various steps, say, using timing 
analysis. Implementors must ensure that the reason a ciphertext is rejected is 
hidden from the outside world. Indeed, our proof of security fails if this is not 
the case. 

Description of Rabin-S AEP ^ : The description of Rabin-SAEP+ is very sim- 
ilar to Rabin-SAEP. SAEP+ makes use of an additional hash function G : 
{0, 1}’”+®! — {0, 1}®°. Key generation for Rabin-SAEP+ is identical to key gen- 
eration for Rabin-SAEP. Encryption differs only in Step 2 where t is defined as 
t = G{M,r) G {0,1}®°. Decryption differs only in Step 7 where the condition 
tested is whether ti is equal to G{Mi,n). 

The description of RSA-SAEP+ is analogous to the one given above. Decryp- 
tion is a bit simpler since one does not have to worry about multiple preimages 
to the RSA trapdoor permutation. 

2.1 Complexity Assumptions 

Throughout the paper we use the following standard complexity assumptions: 
Factoring assumption: We say that a t-time algorithm B is an (n, f) factoring 
algorithm with advantage eif B succeeds with probability at least e in factoring 
n-bit integers generated by the key-gen algorithm. The probability is over the 
random bits used by algorithms key-gen and B. We write adv(,B) = e. We 
say that the (n, t, e) factoring assumption holds if there is no (n, t) factoring 
algorithm with advantage e. 

RSA assumption: We say that a t-time algorithm B is an (n, e, t) algorithm 
for computing e’th roots in Zjv with advantage e if B succeeds with probability 
at least e in computing mod N for an n-bit integer N generated by the 
key- gen algorithm and a random cc G Z^y. The probability is over x and the 
random bits used by algorithms key-gen, B. We write adv(,B) = e. We say 
that the (n, e, t, e) RSA assumption holds if there is no (n, e, t) algorithm with 
advantage e. 
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3 Two Simple Facts 

We state two simple facts that will be useful in the proof of security. 

Fact 2. Let N = pq be an n + 2-bit integer generated by the key-gen algorithm, 
i.e. N G -I- 2”). Let a be a random integer in [0,2”) and C* = o? . 

Then with probability at least 1/3 (over the choice of a) there exist two distinct 
integers yl,y 2 G [0,2”) such that (y*)^ = N. 

Proof. The condition N G 2”+^ -|- 2”) implies that 2” < N/2 and that 

jy^2”+i < 3/2. Let a G [0,2”). Since 2” < N/2 we know that C* = o? mod N 
always has either one or two square roots in [0,2”). Let A be the number of 
a G [0,2”) so that mod N has one root in [0,2”). Let B be the number of 
a G [0,2”) so that mod N has two roots in [0,2”). We know A -h B = 2”. 
Furthermore, we know that for every a G [0, 2”) relatively prime to N we have 
that mod N has exactly two roots in [0, iV/2). The number of a not relatively 
prime to N is at most p A q. Therefore, A < {N/2 — 2”) -\- p -\- q and hence 
B > 2” - {N/2 - 2”) - p - g = 2”+i -N/2-p-q. We get that: 

B ^ ^ N p + q ^ I p-bg^l 
2" ^ 2”+i 2” ^ 2 2” ^ 3 

□ 

Fact 3. Let N = pq be an n 2-bit integer generated by the key-gen algorithm. 
Let a be a random integer in [0, 2”) and set C* = a^. Let p*, yj G Pi 2”) be two 
integers such that (y^)^ = {y^Y = C'* mod N . When C* has two distinct roots 
in [0,2”) we assume y^ ^ y^, otherwise set y* = yj. Let c be a random bit in 
{1, 2}. Then y/ is a uniform random variable in [0, 2”) over the choice of (a, c). 

The proof of Fact 3 is immediate. 



4 Proof of Security of Rabin-SAEP 

We show that an attacker capable of mounting a successful adaptive chosen 
ciphertext attack on Rabin-SAEP in the random oracle model can be used to 
efficiently factor large integers. We use m, sqiSi as the security parameters of 
SAEP and set n = m-|-so + si. Recall that the SAEP key-gen algorithm generates 
an (n -I- 2)-bit modulus N . 

Theorem 4. Let N = pq be an integer generated by the Rabin-SAEP key-gen 
algorithm given the security parameter n. We assume m < n/4: and m-\-so < n/2. 
Let A be a (Atoite) chosen ciphertext attack algorithm in the random oracle 
model. Suppose A has advantage e when attacking Rabin-SAEP modulo N. Then 
there is a uniform algorithm B for factoring N with the following parameters: 

time{B) = time{A) -\- 0{qDqHTc + qaTc) 

adv{B) > i • adv{A) • (1 - ^ - ^) 

Here Tq = Tc{n,2) and Tf, = Tc(n, 4). 
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Proof of Theorem 4. Let N be an (n + 2)-bit integer generated by the key- 
gen algorithm. To factor N algorithm B begins by picking a random a G [0,2”) 
and computing C* = mod JV. We show an algorithm that takes C* as input, 
interacts with A, and outputs a square root a' G [0, 2”) of C* mod N with 
probability at least e' = e • (1 — 2<7£>/2®o — 2<;£)/2®i). By Fact 2 we know that 
C* has two distinct square roots 7,7' G [0,2”) with probability at least 1/3. 
Therefore, a ^ a' with probability 1/6. When this happens, we can factor N by 
computing gcd(A^, a — a'). Since both 0 < a, a' < N/2 this is guaranteed to give 
a non-trivial factor of N . Overall, we succeed in factoring N with probability at 
least |e' as required. 

The rest of the proof focuses on computing a square root a' of C* . We 
construct a simulator that given C* interacts with algorithm A and produces 
a root. The simulator responds to ^’s decryption queries and H hash queries, 
and provides algorithm A with the challenge ciphertext. We first give a high 
level description of the simulator (the simulator is described in detail below). 
The simulator gives C* as the challenge ciphertext to the attacker A. Suppose 
C* = (j/i)^ = (2/2)^ N for some j/i , 2/2 G [Oj 2”) (unknown to the simulator). 
For i = 1,2 write y* = x*||r* with r* G {0, l}®i and x* G {0,1}'"+'*°. If A is 
to have any information about the decryption of C* we will show that it must 
either query the function iL at a point r* or issue a decryption query involving 
one of r{,r2 as described below. First, we show that once the simulator receives 
a query for one of H{r\) or H{r 2 ) it can easily deduce a square root of C* . 
Given we know that x* is a root of f{x) = (2^' a; + r*Y — C* mod N. Since 
X* < 2'"+®° < VN, the simulator can use Coppersmith’s algorithm to find x*. 
Then y* = a;*||r* is a square root of C* as required. 

Next, we give a high level description of how the simulator responds to ^’s 
decryption queries. Suppose the attacker issues a decryption query for the ci- 
phertext C. Let C = y"^ mod N for some y G [0, 2”) and let r be the si least 
significant bits of y. We will show that if C is a valid ciphertext, then H{r) must 
already be defined (otherwise, with high probability, the string 0®° will not be 
found when unpadding y) . Hence, the r used to create C must satisfy one of the 
following: (1) the attacker queried H{r) prior to issuing the decryption query, 
or (2) r = or r = r^. Suppose method (1) is used. Then when the decryption 
query is issued, the simulator already has r, which enables it to find the square 
root of C, as above. Suppose method (2) is used, i.e. r = r* for some i G (1, 2}. 
In this case, assuming C is a valid ciphertext, we know that y = y* + 2®°+®'Z\ 
for some |Z\| < 2^” < Hence, define the two polynomials: 

f(z) = z'^-C* and g{z,A) = {z + 2®°+®' Af - C 

Then f{y*) = g{y*,A) = 0 mod N. Therefore, A must be a root of the resultant 
h = AeSzif, g) which is a quartic polynomial in A. Since |Z\| < we can use 
Coppersmith’s algorithm to find A. Using A the simulator easily finds y* which 
is a square root of C* as required. Hence, decryption queries for valid ciphertexts 
are either correctly answered or they lead directly to a square root of C* . 

We are now ready to describe the complete simulator for computing square roots. 
It works as follows: 
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Setup: The simulator gives A the value N as the public key to be attacked. It 
also gives A the security parameters m, sq,si. 

iJ-queries: At any time A can query H at r G {0, 1}®F The simulator needs 
to respond with H{r). To respond to such i7-queries the simulator maintains 
a list, called the Hust- The Hust is a list of tuples of the form {z,H{z)) that 
records all responses to previous i/-queries. The Hust is initially empty. To 
respond to the query r the simulator works as follows: 

Step 1: If r already appears as the left hand side of some tuple (z,H{z)) in 
the Hiist then respond to A with H{r) = H{z). 

Step 2: Consider the polynomial f{x) = + r)^ — C* . The simulator runs 

Coppersmith’s algorithm to try to find a solution |a:o| < 2™+'*° < ^fN 
satisfying /(xq) = 0 mod N. If a solution is found, the simulator outputs 
+ r as the square root of C* and terminates the simulation. 

Step 3: Otherwise, the simulator picks a random w G {0, 1}’"’*'®® and sets 
H{r) = w. It adds the tuple (r, w) to the Hust and responds to A by saying 
H{r) = w. 

Challenge: At some point A produces two plaintexts Mq, Mi G {0, 1}™ where 
it wishes to be challenged. The simulator responds with C* as the challenge 
ciphertext. 

Decryption queries: Let C G 1>n be a ciphertext output by A. The simulator 
must decrypt C or reject it as an invalid ciphertext. We construct a plaintext 
extractor to decrypt C. The plaintext extractor takes C, Hust , C* as input and 
works as follows: 

Step 1: For each tuple {r,H{r)) on the Hust consider the polynomial fr{X) = 
(2®ia; + r)^ — C. The simulator runs Coppersmith’s algorithm on each fr{x) 
to try to find an |a;o| < '/N satisfying fr{xo) = 0 mod N. Suppose an xq is 
found for some tq on the Hust- In this case, the simulator found a square 
root of C, namely 2®“^xo + tq. Using H{ro) from the Hust the simulator 
checks that xq is a properly padded SAEP message. If so, it gives A the 
plaintext. If not, the simulator rejects C as an invalid ciphertext. 

Step 2: Suppose no tq on the Hust is found. Consider the two polynomials 

f{z) = z^-C* and g{z, A) = {z + 2®«+®i A)^ - C 

Let h{A) be the resultant of the two polynomials with respect to z. Then 
h{A) is a quartic polynomial. Use Coppersmith’s algorithm to try to find 
a Z\q < 2™ < such that h{Ao) = 0 mod N. If such a Aq is found 

then we know f{y*) = g{y* , Aq) = 0 mod N where y* is some square root 
of C*. Then the simulator can easily find y* by computing the gcd of the 
univariate polynomials f{z) and g{z,Ao). Since these two monic quadratic 
polynomials must be different (since C ^ C*) their gcd must be a linear 
polynomial having y* as a root. The simulator outputs y* as the square 
root of C* and terminates the simulation. 

Step 3: If both Step I and Step 2 fail to resolve the decryption query, the 
ciphertext C is rejected as an invalid ciphertext. Note that Step 2 is only 
done in Phase 2 of the attack. 
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This completes the description of the simulator. The simulator’s running time 
is as stated in the statement of Theorem 4. It remains to calculate the success 
probability of computing a square root of C* . Let j/i , 2/2 be the two square roots 
of C* mod N in [0,2"). If C* only has one such square root then set y* = y 2 - 
Let r*,r 2 be the Si least significant bits of respectively. We are successful 
if during the simulation either: (1) A issues a query for one of H{r\),H{r 2 ), or 
(2) A issues a decryption query for a valid ciphertext C ^ C* where the si least 
significant bits of some VC € [0, 2") equal r* or r^. If either one of these queries 
occurs during the attack we say that A issued an r* query. We denote by A{r*) 
the event that A issues an r* query during the attack. Our goal is to show that 
during the simulation Prsjm[-4(r*)] is non-negligible. 

Lemma 1. Let A he a (t,qD,qH) chosen ciphertext attacker with adv{A) > e. 
Then Prstm[A{r*)] > e(l - ^ - ^). 

Proof. We first note that during the real attack we have Prreai[A{r*)] > e. To 
see this observe that if A does not issue an r* query during the real attack then 
the decryption of the challenge C* is independent of .4’s view (since H{r\), Hir^) 
are independent of .4’s view). Hence, since adv(.4) > e, it follows that in the real 
attack A must make an r* query with probability at least e, i.e. Pvreai[A{r*)\ > e. 

Next, we show that with high probability A cannot distinguish the real attack 
from the simulation until it issues an r* query. We say that the event GoodSim 
occurred if the following two events happen: 

- The simulator never rejects a valid decryption query issued by A (the validity 

of a query is determined relative to the oracle H at the end of the simulation) , 
and 

- During phase I of the attack (i.e. prior to being given the challenge) algorithm 

A did not issue a decryption query for C where C = mod N and the si 
least significant bits of y £ [0,2") are equal to r* or r^. 

We show that when GoodSim occurs the simulation and the real attack are 
indistinguishable. We then show that GoodSim occurs with high probability. 
Claim 1: Prreai[A{r*)] = Prsi^[.4(r*)| GoodSim]. 

Proof: We show that when GoodSim occurs ^’s view during the simulation is 
sampled from the same distribution as .A’s view during the real attack. By con- 
struction, all responses to H queries are as in a real attack. Similarly, when 
GoodSim occurs all responses to decryption queries are as in a real attack. Hence, 
the only thing to show is that the challenge C* given by the simulator is sampled 
from the same distribution as in a real attack. Recall that C* is generated by 
picking a random a £ [0, 2") and computing C* = mod iV. For C* to be an 
encryption of Mq or Mi we must introduce an implicit constraint on H, namely 
H{r*) = w* for some (r*,w*). We show that w* is uniform in {0,1}'"+'*° and 
that w*, H{r*) are both independent of the attacker’s view at the end of phase I. 
Hence, setting H{r*) = w* is consistent with a real attack. Proving this requires 
some care for the Rabin function. 

Let c G (1, 2} be a random bit. If C* has two square roots in [0, 2") we use the 
bit c to pick one of them at random. Let y* be the chosen square root (unknown 
to the simulator). By Fact 3 we know that y* is uniform in {0,1}" (over the 
probability space induced by {a,c)). Write y* = a;*||r* with x* £ {0,1}'"+'*° 
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and r* G {0, Choose a random b G {0,1} and set v* = The 

random bit b indicates whether C* is an encryption of Mq or Mi. Finally, set 
H{r*) = ri* © X* . Since y* is uniform in [0,2") we know that x* is uniformly 
distributed in (0, Hence, u* © x* G (0, is a uniform random 
string. It is independent of ^’s view at the end of phase I as required since at 
that time C* has not yet been used to answer any queries. 

Next, we show that at the end of phase I (just before A receives the challenge) 
H{r*) is independent of ^’s view (otherwise we cannot set H{r*) = v* © x*). 
This is immediate by the following facts: (1) we may assume that during phase I 
the attacker does not issue a query for H{r*) since otherwise the event A{r*) 
has already occurred and there is nothing more to prove. (2) the second part 
of GoodSim implies that during phase I the attacker did not issue a decryption 
query that restricts H{r*). Hence, at the end of phase I we know that H{r*) is 
independent of the attacker’s view. This completes the proof of Claim 1. 

Claim 2: Pr[GoodSim] > 1 — 

Proof: Let C be a decryption query issued by the attacker and rejected by the 
simulator (i.e. C fails steps 1 and 2 of response to decryption queries). We show 
that the probability that C is valid is at most 2/2®“. Let yi,y 2 be the square 
roots of C in [0, 2"). Let Mi,ri, xi,ti,vi and M 2 , X2, X2A2, V2 be the unpadding 
of yi,V 2 as defined in Section 2. Then C is a valid ciphertext only if either ti = 0®° 
or <2 = 0®° . Since C failed to satisfy the condition of Step 1 we know that A has 
not yet issued a query for H{ri) or H{r 2 ). Since C failed to satisfy Step 2 we 
know that ri,r 2 yf r* and ri,r 2 yf r^. Hence, H{ri) and H(r 2 ) are independent 
of the attacker’s current view. Therefore, the probability that t\ = 0®“ or t 2 = 0®° 
is at most 2/2®“. Since the attacker makes at most qu queries, the probability 
that any of these queries are incorrectly rejected is at most 2qjjj2^°. 

To bound the probability for the second part of GoodSim observe that during 
phase I the challenge C* is independent of the attacker’s view. Therefore, the 
probability that a decryption query during phase I happened to use r} or is 
at most 2/2®L Therefore, the probability that any of the queries during phase I 
use r} or is at most 2q]jj2^^. To conclude we have that Pr[GoodSim] > 
1 — 2(7d/ 2®“ — 2g£i/2®^ as required. This completes the proof of Claim 2. 

The proof of the lemma now follows from Claims 1 and 2: 

Pr [^(r*)l > Pr [^(r*)| GoodSim] • Pr [GoodSim] = 

sim sim 

Pr [^(r*)] • Pr [GoodSim] > e(l - ^ - ^) 



As required. This concludes the proof of Lemma 1 and Theorem 4. □ 

Extensions. SAEP is not known to be secure for the general RSA trapdoor 
permutation, f{x) = x® mod N . For very small RSA exponents one can show 
some limited security. For example, for e = 3 SAEP has chosen ciphertext security 
whenever m + sq < n/3 and m < n/9. For typical RSA modulus sizes, these 
restrictions on the message length make it difficult to use this system. 
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5 Proof of Security for RSA-SAEP+ and Rabin-SAEP+ 

The proof of security for SAEP+ holds in a more general settings than the proof 
of SAEP. As in the previous section, we use m, sq, si as the security parameters 
of SAEP+ and set n = m + So + si- 

Let f{x,r) be a trapdoor permutation acting on strings in {0,1}™+'*° x 
{0, 1}®L As usual we assume / is selected from a family T of such trapdoor 
permutations. Following the notation of [8] we define the set partial one-wayness 
problem as follows: 

Set partial one-wayness: We say that an algorithm A solves the (/, k) par- 
tial one-wayness problem if given f(x,r) the algorithm produces a set S = 
{ri, . . . ,rk} C {0,1}®! such that r G S. More precisely, we say that A has 
advantage e if 

gdvP-o™(_ 4 ) = Pr^^rir G A{f{x,r))] > e 

Consider the /— SAEP+ cryptosystem obtained by padding the message M 
with SAEP+ prior to encrypting with /. We first show that a successful chosen 
ciphertext attacker on /— SAEP+ can be used to solve the set partial one-wayness 
problem for /. We then discuss the applications to the RSA and Rabin functions. 

Theorem 5. Let A he a (f, qDiQH, Qg) chosen ciphertext attack algorithm in the 
random oracle model. Suppose A has advantage e when attacking f — SAEP+. 
Then there is a uniform algorithm B for solving the (/, qn) set partial one- 
wayness problem with the following parameters: 

time{B) < time{A) 0{qH + qa + qo) 
adiF~°^{B) > adv{A){l - 

Proof. Algorithm B is given C* = f{x*,r*) for some random cc*||r* G (0, 1}". 
Our goal is to output a list of size qn containing r*. We construct a simulator 
that interacts with algorithm A and produces the required output. Note that 
since / is a permutation, a:*||r* is unique given C* . 

We first give a high level description of the simulator. During the simulation, 
A outputs two plaintexts Mq, Mi where it wishes to be challenged. The simulator 
responds with C* as the challenge ciphertext. We view C* as the encryption of 
M*, where M* is one of the two challenge plaintexts Mq, Mi. We will show that 
if A is to have any information about the decryption of C* it must query the 
function H at the point r*. Therefore, if we place all of M’s queries to in a 
list, called the Hust, then with non-negligible probability the Hust is a solution 
to the set partial one-wayness problem. 

Next, we show how to respond to decryption queries. Say the attacker wishes 
to decrypt the ciphertext C. Suppose C is a valid ciphertext, and is the en- 
cryption of some message M. Furthermore, let C = f{x,r). We will show that 
if C is a valid ciphertext, then both G{M,r) and H{r) are already defined. 
Hence, the r used to create C must satisfy one of the following: (1) the attacker 
queried G{M,r) and H{r) prior to issuing the decryption query, or (2) r = r* 
and M = M* . Suppose method (1) is used. Then when the decryption query is 
issued, the simulator has already been queried on G{M,r). Hence, to decrypt G 
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the simulator simply checks to see which pair (M, r) on the list of queries to G 
is the decryption of C. Suppose method (2) is used, i.e. r = r* and M = M* . In 
this case C = C* and hence this is an invalid decryption query since it matches 
the challenge ciphertext. Consequently, all decryption queries can be correctly 
answered. 

We now give the detailed description of the simulator B. 

Setup: The simulator gives A the security parameters m, So,Si, and identifies 
the function / within the family of trapdoor permutations T . 
iJ-queries: At any time A can query H at r G {0, 1}®F The simulator needs 
to respond with H{r). To respond to such i7-queries the simulator maintains 
a list, called the Hust- The Hust is a list of tuples of the form {z,H{z)) that 
records all responses to previous H-qnenes. The Hust is initially empty. To 
respond to the query r the simulator works as follows: 

Step 1: If r already appears as the left hand side of some tuple {z,H{z)) in 
the Hiigt then respond to A with H{r) = H{z). 

Step 2: Otherwise, the simulator picks a random w G {0, and sets 

H{r) = w. It adds the tuple (r, w) to the Hust and responds to A by saying 
H{r) = w. 

G-queries: At any time A can query G at G(Mo,ro) where Mq G {0, 1}™ and 
To G {0, l}^b The simulator needs to produce G{Mo,ro)- To respond to such 
G-queries the simulator maintains a list, called the Gust- It is a list of tuples of 
the form (M,r,G{M,r),G) that records all responses to previous G-queries. 
The last entry, G, is the ciphertext that results from encrypting M using the 
random string r (see Step 2 below). The Gust is initially empty. To respond 
to the query {Mo,ro) the simulator works as follows: 

Step 1: If (Mq, To) appears as the left hand side of some tuple (Mg, rg, u, G) in 
the Gust then respond to A with G(Mg,rg) = u. 

Step 2: Otherwise, the simulator picks a random u G {0, 1}^“ and sets 
G(Mg,ro) = u. It then runs the algorithm for responding to an H 
query to obtain the value of i?(rg). The simulator then computes Gg = 
/(SAEP+(Mg, rg)), which is the ciphertext obtained from encrypting Mg 
using rg. Note that at this point H{ro) and G(Mg,rg) are well defined, so 
that Gg is well defined. The simulator adds (Mo,ro,u,Co) to the Gust and 
responds to A by saying G{Mq, rg) = u. 

Challenge: At some point A produces two plaintexts Mg, Mi G {0, 1}™ where 
it wishes to be challenged. The simulator responds with G* as the challenge 
ciphertext. 

Decryption queries: Let G G Z^v be a ciphertext output by A. The simulator 
must decrypt G or reject it as an invalid ciphertext. We construct a plaintext 
extractor to decrypt G. The plaintext extractor is very simple: search the Gust 
to see if it contains a tuple (M, r, u, C) with G as the last entry. If so, respond 
with M as the decryption of G. Otherwise, reject the ciphertext as an invalid 
ciphertext. 

This completes the description of the simulator. Algorithm B outputs the Hust 
at the end of the simulation as its solution to the given set partial one-wayness 
problem. One can easily verify that the running time of B is as stated in the 
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statement of the theorem. We are assuming that searching the Hust and Gust 
takes constant time. 

It remains to calculate the probability that r* is contained in one of the 
tuples on the final This happens if A issues a query for H{r*) or a query 

for G(— ,r*). We denote the probability of this event by G Hust]- We 

note that once the attacker queries H{r*) it can easily distinguish the simulation 
from a real attack: the simulator defines H(r*) to be a random string, but then 
C* is unlikely to be the encryption of Mq or Mi. Hence, the attacker may choose 
to abort the attack. However, at that point r* is already in the Hugt as required. 
The next lemma shows that ^y:.sim[A G Hnat\ is sufficiently large. 

Lemma 2. Let A he a {t, qn, qn, qc) chosen ciphertext attacker for f — SAEP+ 
with advantage e. 

Then Prg.j,m[r* G > e(l - - gz)/2®0- 

Proof As in the proof of Lemma 1 we have that in the real attack Pireai [?■* G 
Hiist] > c- It remains to show that with high probability A cannot distinguish 
the simulation from the real attack until it issues a query for H{r*) or G(— , r*). 
Let GoodSim be the event defined as in the proof of Lemma 1, namely we say 
that the event GoodSim occurred if the following two events happen: 

- The simulator never rejects a valid decryption query issued by A (the validity 

of a query is determined relative to the oracle H at the end of the simulation) , 
and 

- During phase I of the attack (i.e. prior to being given the challenge) algorithm 

A did not issue a decryption query for G where G = f{x,r*) for some x G 

Claim 1: Prreai[r* G Hust] = Prszm[r* G iLiistI GoodSim]. 

Proof: We show that when GoodSim occurs A’s view during the simulation is 
sampled from the same distribution as A’s view during the real attack. Observe 
that the simulator provides a perfect simulation of the H and G oracles. Also, 
when GoodSim occurs all decryption queries are answered correctly. Next we 
show that the challenge ciphertext G* given to A is distributed as in the real 
attack. Recall that x* ,r* are chosen at random. Let Mq,Mi be the messages 
on which A wishes to be challenged. Pick a random b G {0, 1}. We make G* 
be the encryption of Mf,. To do so, pick a random t* G {0, 1}'*° and define 
G{Mb,r*) = t*. Set v* = Mt,\\t* and define H{r*) = v* (B x* . Then G* is the 
encryption of M^. Furthermore, t* and v* © x* are random strings independent 
of A’s view at the end of phase I as required. To complete the proof we need 
to argue that at the end of phase I the hash values G(Mf,,r*) and H{r*) are 
independent of the attacker’s view (otherwise we cannot set G{Mb,r*) = t* and 
H{r*) = u*©a:*). We do so in the same way as at the end of Claim 1 of Lemma 1. 
Claim 2: Pr[GoodSim] > 1 — 

Proof: Let G be a decryption query issued by the attacker and rejected by the 
simulator. Let G = f{x, r), and let M, t, v be the unpadding of x\\r as described 
in Section 2. Then G is a valid ciphertext only if t = G{M, r). Since G is rejected 
by the simulator we know that the attacker did not issue a query for G(M, r). 
Similarly, since G yf G* we know that (M,r) is not equal to {Mb,r*). Hence, 
G{M, r) is independent of the attacker’s current view. Therefore, the probability 
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that t = G{M,r) is 1/2^“. Since the attacker makes at most qd queries, the 
probability that any decryption query is incorrectly rejected is at most ( 7 d/ 2 ®“. 
We bound the probability for the second part of GoodSim as we did in the proof 
of Claim 2 of Lemma 1. Overall, we get that Pr[GoodSim] > 1 — 
as required. This concludes the proof of Claim 2. 

The proof of the lemma now follows from Claims 1 and 2 as in the calculation 
at the end of Lemma 1. This concludes the proof of Theorem 5. □ 

We now describe how Theorem 5 applies to the Rabin and RSA functions. For 
the Rabin function we obtain an extremely efficient reduction to factoring. For 
the RSA permutation we obtain a reduction to breaking RSA, but the reduction 
is not as efficient. Since the Rabin function is not a permutation on one 
needs to extend the proof of Theorem 5 to this case. The extension is done using 
the same techniques as in Theorem 4. Theorem 5 remains unchanged. 

Corollary 1 (Rabin-SAEP+). Consider the Rabin- SAEP+ scheme, with m + 
So < n/2. Suppose the (n,t,e) factoring assumption holds. Then Ra&zn-SAEP+ 
is ft', e', qn, qn, qc) chosen ciphertext secure in the random oracle model for t' , T 
satisfying: 

t' < t - 0{qn + qa + gnTc), and 
|e'>e + to/2"° + <ZD/2"^ 

where Tq = Tc{n,2). 

Proof Suppose A is a ft' , qo , qn , qa) chosen ciphertext attacker on Rabin- 
SAEP+ with advantage e'. Let /at be the function fnix) = mod N for some 
N generated by the Rabin-SAEP+ key-gen algorithm. By Theorem 5 there exists 
a to-time algorithm B that solves the (fN,qH) set partial one-wayness problem 
with advantage Cq for some to,eQ. 

We construct an algorithm C for factoring N. The algorithm starts by picking 
a random a € [0, 2") and computing C* = o? mod N . It then runs B on input 
C* . With probability at least cq we obtain a set S' = {ri, . . . , rg^^} C {0, 1}®^ of 
size qn with the following property: there exists an integer x G [0,2™+®°) and 
r G S such that (2®“^x -I- r)^ = C* mod N. Since x < we can then find x,r 
by running Coppersmith’s algorithm on all qu candidates for r. Once x, r are 
found, we obtain a square root a' G [0, 2") of C* mod JV. Then the factorization 
of At is revealed with probability at least 1/6 by computing gcd(A^, a — a'). 
To see this observe that by Fact 2, C* mod JV has two square roots in [0,2”) 
with probability at least 1/3. Therefore, a ^ a' with probability 1/6. Since 
0 < a. Of' < N/2 the GCD gives a non-trivial factor of N . The resulting factoring 
algorithm C has running time: time(C) = to + <1hTc = t' 0{qD + qc + qnTc) 
and success probability at least adv(C) = /eo = g£^(l — qD/‘2-"° — qD/‘2-"^). The 
corollary now follows. □ 

Corollary 2 (RSA-SAEP+). Consider the RS'A-SAEP+ scheme, withm-\-SQ < 
n/2. Suppose the fn,e,t,e) RSA assumption holds for some e > 0. Then RSA- 
SAEP+ is ft' , e' ,qu,qH, qc) chosen ciphertext secure in the random oracle model 
for t' , e! satisfying: 
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t' <t/2 - O{qo + qc + (fn), and 
e' > ei/2 + q^/2«o 

Proof Suppose ^ is a {t' , qn , qn , qc) chosen ciphertext attacker with 
advantage e'. Let /at be the function fN{x) = mod N for some N generated 
by the RSA-SAEP+ key-gen algorithm. By Theorem 5 there exists a to-time 
algorithm B that solves the {fN^qn) set partial one-wayness problem with 
advantage eo for some to, eg- Fujisaki et al. [8] show that, when m -I- sq < n/2, 
such an algorithm can be used to compute the e’th root of C* modulo N. They 
do so by running algorithm B on both C* and aC* for a random a G Zjv- The 
resulting sets S and Sa expose the e’th root of C* in time 0{q^). Hence, we 
obtain an algorithm for breaking RSA in time 2tg = 2t' + 0{qu + qa + Qh) and 
success probability eg = (e'(l — qol2^° — > (e' — qo/2‘^° — 

The corollary now follows. □ 

Note that the reduction time for RSA-SAEP+ is quadratic in qn and the 
success probability is quadratic in e. This is not as efficient as the reduction for 
Rabin-SAEP+ which is linear time. 

Accommodating large messages in RSA-SAEP+. Note that in Corollary 2 
the message length must satisfy m+sg < n/2. We briefly note that the corollary 
remains true even if m+sg < (1 — (5)n for any fixed <5 > 0. To do so run algorithm 
B on c= 1/S random values aiC* , . . . , OcC* . We obtain c lists of size qu each. 
Suppose we And a c-tuple c* = (rj‘,...r*) (one entry from each list) that is 
the correct solution to these c partial one-wayness problems. Then we obtain 
the 5n least significant bits of each mod N where the are random in 
Zat. Finding C* from this tuple is a standard Hidden Number Problem (HNP) 
modulo N. We can use the algorithm in [4] to efficiently And C* . The analysis 
in [4], which applies to HNP modulo primes, extends to handle RSA composites 
N = pq as well. The resulting algorithm for breaking RSA has a running time 
of 0{q/j), since we must try all c-tuples c*, and a success probability of 0(e'^), 
since B must succeed on all c iterations. Consequently, this reduction becomes 
very inefficient for small 5. 



6 Conclusions 

We showed that OAEP can be simplified significantly when applied to the Rabin 
and RSA functions. OAEP can be viewed as two rounds of a Feistel network. 
The simplified schemes, SAEP and SAEP+, require only one round of Feistel. 
The proof of security for the two schemes is based on the algebraic properties 
of the Rabin and RSA functions. When using an n-bit modulus Rabin-SAEP 
is secure whenever m -I- sg < n/2 and m < n/A. SAEP+ is secure whenever 
m -I- sg < n/2. The proof of security for RSA-SAEP+ has the same efficiency as 
the proof for RSA-OAEP [8]. For Rabin-SAEP+ the proof is as efficient as the 
proof for Rabin-OAEP+ [11]. 

The padding SAEP+ is superior to SAEP both in terms of the reduction effi- 
ciency and in terms of the weaker restriction on the message length. For practical 
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purposes one is most likely to use SAEP+ rather than SAEP. Nevertheless, it is 
useful to know that Rabin-SAEP, which is a slightly simpler construction, also 
provides chosen ciphertext security when appropriate parameters are used. 

Acknowledgments. The author thanks David Pointcheval, Jacques Stern, Vic- 
tor Shoup, and Phong Nguyen for helpful discussions. 
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Abstract. We initiate a study of on-line ciphers. These are ciphers that 
can take input plaintexts of large and varying lengths and will output the 
ith block of the ciphertext after having processed only the first i blocks of 
the plaintext. Such ciphers permit length-preserving encryption of a data 
stream with only a single pass through the data. We provide security 
definitions for this primitive and study its basic properties. We then 
provide attacks on some possible candidates, including CBC with fixed 
IV. Finally we provide a construction called HCBC which is based on a 
given block cipher E and a family of AXU functions. HCBC is proven 
secure against chosen-plaintext attacks assuming that A is a PRP secure 
against chosen-plaintext attacks. 



1 Introduction 

We begin by saying what we mean by on-line ciphers. We then describe a notion 
of security for them, and discuss constructions and analyses. Finally, we discuss 
usage, applications, and related work. 



I. 1 Online Ciphers 

A cipher over domain is a function F\ (0, 1}^ x D ^ D such that for each key 
K the map F{K, •) is a length-preserving permutation on D, and possession of 
K enables one to both compute and invert F(K, ■). The most popular examples 
are block ciphers, where D = {0, 1}" for some n called the block length; these are 
fundamental tools in cryptographic protocol design. However, one might want to 
encipher data of large size, in which case one needs a cipher whose domain D is 
appropriately large. (A common choice, which we make, is to set the domain to 
Dd,m the set of all strings having a length that is at most some large value d, and 
is also divisible by n.) Matyas and Meyer refer to these as “general” ciphers m- 
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In this paper, we are interested in general ciphers that are computable in 
an on-line manner. Specifically, cipher F is said to be on-line if the following 
is true. View the input plaintext M — M\l] . . . M\l] to an instance F{K, •) of 
the cipher as a sequence of n-bit blocks, and similarly for the output ciphertext 
F{K, M) = C[l] . . . C[l\. Then, given the key K, for all i, it should be possible 
to compute output block C[i] after having seen input blocks M[l] . . . M[i]. That 
is, C[i] does not depend on blocks z -h 1, . . . , Z of the plaintext. 

An on-line cipher permits real-time, length-preserving encryption of a data 
stream without recourse to buffering, which can be attractive in some practical 
settings. 

The intent of this paper is to find efficient, proven secure constructions of 
on-line ciphers and to further explore the applications. Let us now present the 
relevant security notions and our results. 

1.2 A Notion of Security for Online Ciphers 

A commonly accepted notion of security to target for a cipher is that it be a 
pseudorandom permutation (PRP), as defined by Luby and Rackoff |0|. Namely, 
for a cipher A to be a PRP, it should be computationally infeasible, given an 
oracle g, to have non-negligible advantage in distinguishing between the case 
where g is a random instance of F and the case where t/ is a randomly-chosen, 
length-preserving permutation on the domain of the cipher. However, if a cipher 
is on-line, then the zth block of the ciphertext does not depend on blocks i -\- 
l,z -I- 2, . . . of the plaintext. This is necessary, since otherwise it would not be 
possible to output the zth ciphertext block having seen only the first i plaintext 
blocks. Unfortunately, this condition impacts security, since a cipher with this 
property certainly cannot be a PRP. An easy distinguishing test is to ask the 
given oracle g the two-block queries AB and AC, getting back outputs WX and 
Y Z respectively, and if VP = V then bet that g is an instance of the cipher. This 
test has a very high advantage since the condition being tested fails with high 
probability for a random length-preserving permutation. 

For an on-line cipher, then, we must give up on the requirement that it 
meet the security property of being a PRP. Instead, we define and target an 
appropriate alternative notion of security. This is quite natural; we simply ask 
that the cipher behave “as randomly as possible” subject to the constraint of 
being on-line. We say that a length-preserving permutation tt is on-line if for all 
i the zth output block of tt depends only on the first i input blocks to tt, and 
let OPerm^j denote the set of all length-preserving permutations tt on domain 
Dd^n- Tfie rest is like for a PRP, with members of this new set playing the 
role of the “ideal” objects to which cipher instances are compared: it should be 
computationally infeasible, given an oracle g, to have non-negligible advantage 
in distinguishing between the case where t/ is a random instance of F and the 
case where g is a random member of OPerm^; A cipher secure in this sense is 
called an on-line-PRP. 

The fact that an on-line-PRP meets a notion of security that is relatively 
weak compared to a PRP might at first lead one to question the introduction 
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of such a notion. However, finding appropriate balances between security and 
practical constraints is an impactful and active research endeavor where the 
goal is not necessarily to achieve some strong notion of security but to have the 
“best possible” security under given practical constraints, so that weaker notions 
of security are useful. Furthermore, we will see that in this case, even this weak 
primitive, if properly used, can provide strong security. 



1.3 Candidates for Online Ciphers 

To the best of our knowledge, the problem of designing on-line ciphers with 
security properties as strong as those required by our definition has not been 
explicitly addressed before. When one comes to consider this problem, however, 
it is natural to test first some existing candidate ciphers or natural constructions 
from the literature. We consider some of them and present attacks that are 
helpful to gather intuition about the kinds of security properties we are seeking. 

It is natural to begin with standard modes of operation of a block cipher, such 
as CBC. However, CBC is an encryption scheme, not a cipher; each invocation 
chooses a new random initial vector as a starting point and makes this part of the 
ciphertext. In particular, it is not length-preserving. The natural way to modify 
it to be a cipher is to fix the initial vector. There are a couple of choices: make it 
a known public value, or, hopefully better for security, make it a key that will be 
part of the secret key of the cipher. The resulting ciphers are certainly on-line, 
but they do not meet the notion of security we have defined. In other words, the 
CBC cipher with fixed IV, whether public or private, can be easily distinguished 
from a random on-line permutation. Attacks demonstrating this are provided in 
Section E] 

We then consider the Accumulated Block Chaining (ABC) mode proposed by 
Knudsen in 0, which is a generalization of the Infinite Garble Extension mode 
proposed by Campbell 0. It was designed to have “infinite error propagation,” 
a property that intuitively seems necessary for a secure on-line cipher but which, 
as we will see, is not sufficient. In Section El we present attacks demonstrating 
that this is not a secure on-line cipher. 



1.4 The HCBC Online Cipher and Its Security 

We seek a construction of a secure on-line cipher based on a given block cipher 
E\ {0, !}®^x{0, 1}" — >■ {0, 1}”. We provide a construction called HCBC that uses 
a family H\ {0, 1}'*'= x {0, 1}” ^ {0, 1}" of Almost-XOR-Universal (AXU) hash 
functions 0. The key eK\\hK for an instance HCBC(eA||/iA, •) of the cipher 
consists of a key eK for the block cipher and a key hK specifying a member 
H{hK,-) of the family H. The construction is just like CBC, except that a 
ciphertext block is first hashed via H{hK, •) before being XORed with the next 
plaintext block. (The initial vector is fixed to 0".) A picture is in Figure 0, and 
a full description of the construction is in Section 0 It is easy to see that this 
cipher is on-line. 
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We stress that the hash functions map n bits to n bits, meaning work on 
inputs of the block length, as does the given block cipher. Numerous designs of 
fast AXU families are known, so that our construction is quite efficient. For an 
overview of the state-of-the-art of AXU families refer to m- 

We prove that HCBC meets the notion of security for an on-line cipher that 
we discussed above, assuming that the underlying block cipher if is a PRP. The 
proof involves finding and exploiting a way of looking at an on-line cipher as a 
2"-ary tree of permutations on n bits, and then going through a hybrid argument 
involving a sequence of different games that “move” from OPerm^ „ to HCBC. 

1.5 Security against Chosen Ciphertext Attacks 

The notions of PRPs and on-line PRPs that we have discussed above represent 
security under chosen-plaintext attack. A stronger requirement is security under 
chosen-ciphertext attack. For a PRP this means that the adversary has an oracle 
not just for the challenge permutation, but also for its inverse. (An object secure 
in this sense was called a strong PRP in CH and a super-PRP in |S|.) This 
notion is easily adapted to yield a notion of on-line PRPs secure against chosen- 
ciphertext attack. We provide an attack showing that HCBC is not secure against 
chosen-ciphertext attack. The question of finding a construction of an on-line 
PRP secure against chosen ciphertext attack, based on a block cipher assumed 
to be a PRP secure against chosen-ciphertext attack, is open. In the full version 
of this paper PJ we report on some efforts to this end. 

1.6 Usage and Application of Online Ciphers 

There are settings in which the input plaintext is being streamed to a device 
that has limited memory for buffering and wants to produce output at the same 
rate at which it is getting input. The on-line property becomes desirable in 
these settings. The most direct usage of an on-line cipher will be in settings 
where, additionally, there is a constraint requiring the length of the ciphertext 
to equal the length of the plaintext. (Otherwise, one can use a standard mode of 
encryption like CBC, since it has the on-line property. But it is length expanding 
in the sense that the length of the ciphertext exceeds that of the plaintext, due 
to the changing initial vector.) This type of constraint occurs when one is dealing 
with fixed packet formats or legacy code. 

However, an on-line cipher is more generally useful, via the “encode-then- 
encipher” paradigm discussed in This paradigm was presented for ciphers 
that are PRPs, and says that enciphering yields an IND-CPA secure encryption 
scheme if the message space has enough entropy, and provides integrity (meaning 
achieves INT-CTXT) if the message space contains enough redundancy. (The 
privacy requires that the PRP be secure against chosen-plaintext attack, while 
the integrity requires security against chosen-ciphertext attack.) Entropy and 
redundancy might be present in the data, as often happens when enciphering 
structured data like packets, which have fixed formats and often contain counters. 
Or, entropy and redundancy can be explicitly added, for example by inserting a 
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random value and a constant string in the message. (This will of course increase 
the size of the plaintext, so is only possible when data expansion is permitted.) 

Claims similar to those made in ^ remain true even if the cipher is an on- 
line-PRP rather than a PRP. Specifically, the requirement on the message space 
must be strengthened to require not just that entropy be present, but that it 
be in the first blocks of the message; and similarly, that redundancy not just 
be present, but be at the end of the data. Again, one might already have data 
of such structure, in which case the encryption will be length preserving yet 
provide semantic security and integrity, or one can prepend a random number 
and append a constant to the message, getting the same properties but at the 
cost of data expansion. 

1.7 Related Work 

The problem addressed by our Hash-CBC construction is that of building a 
general cipher from a block cipher. Naor and Reingold El consider this problem 
for the case where the general cipher is to be a PRP or strong PRP, while 
we want the general cipher to be an on-line-PRP or strong-on-line-PRP. The 
constructions of HH Section 7] are not on-line; indeed, they cannot be, since they 
achieve the stronger security notion of a PRP. Our construction, however, follows 
that of m in using hash functions in combination with block ciphers. A problem 
that has received a lot of attention is to take a PRP and produce another having 
twice the input block length of the original [91 1 Ij . We are, however, interested in 
allowing inputs of varying and very large size, not merely twice the block size. 

2 Definitions 

We recall basic definitions of families of functions and ciphers following 0. 

Notation. A string is a member of {0,1}*. If a; is a string, then |a;| denotes 
its length. The empty string is denoted e. li x,y € (0, 1}* are strings, then we 
denote by LCP„(a:,2/) the longest common n-prefix of x,y. This is the longest 
string s such that |s| is a multiple of n, and s is a prefix of both x and y. A 
map /: H ^ i? is a permutation ii D — R and / is a bijection (i.e. one-to-one 
and onto). A map /: D ^ Ris length-preserving if |/(a;)| = |a:| for all x & D.li 
n > 1, d > 1 are integers, then Dd^n denotes the set of all strings whose length is 
a positive multiple of n bits and at most dn bits. If P G Dd^n, then P[i] denotes 
its ith block, meaning P = P[l] . . . P[l] where I = \P\/n and |P[*]| = n for all 
i = 1, . . . , Z. We will typically consider functions whose inputs and outputs are in 
Dd^n, so that both are viewed as sequences of blocks where each block is n bits 
long. We let denote the function which on input M returns the Ah block of 
/(M). (Oreif |/(M)| <m.) 

Function families and ciphers. A family of functions is a map F : Keys{F) x 
Dom{F) — Ran{F) where Keys{F) is the key space of F; Dom{F) is the domain 
of F; and Ran{F) is the range of F. If Keys{F) = (0, 1}^, then we refer to fc as 
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the key-length. The two-input function F takes a key K € Keys{F) and an input 
X G Dom{F) to return a point F{K,x) G Ran(F). For each key K G Keys(F), 
we define the map Fx- Dom{F) — >■ Ran{F) by F{K,x) for all x G Dom{F). 
Thus, F specifies a collection of maps from Dom{F) to Ran{F), each map being 
associated with a key. (That is why F is called a family of functions.) We refer 
to F{K, •) as an instance of F. The operation of choosing a key at random from 
the key space is denoted K A Keys{F). We write / A F for the operation 
K A Keys{F) ; / ^ F{K, •). That is, / A F denotes the operation of selecting 
at random a function from the family F. When / is so selected it is called 
a random instance of F. Let Rand„ „ be the family of all functions mapping 
{0, 1}" to {0, 1}" so that / A Rand„_„ denotes the operation of selecting at 
random a function from {0,1}” to {0,1}”. Similarly, let Perm„ be the family 
of all permutations mapping {0, 1}” to {0, 1}” so that tt A Perm„ denotes the 
operation of selecting at random a permutation on {0, 1}”. We say that F is 
a cipher if Dom{F) = Ran{F) and each instance F{K,-) of F is a length- 
preserving permutation. A block cipher is a cipher whose domain and range 
equal {0, 1}” for some integer n called the block size. (For example, the AES 
has block size 128.) If F is a cipher, then F~^ is the inverse cipher., defined by 
F~^{K,x) = F(FT, •)“^(a:) for all K G Keys{F) and x G Dom{F). 



Pseudorandomness of ciphers. A “secure” cipher is one that approximates a 
family of random permutations; the “better” the approximation, the more secure 
the cipher. This is formalized following |fil9| . A distinguisher is an algorithm that 
has access to one or more oracles and outputs a bit. Let F: Keys{F) x {0, 1}” — )> 
{0, 1}” be a family of functions with domain and range {0, 1}”. Let Ai be a 
distinguisher with one oracle and A2 a distinguisher with two oracles. Let 



AdvP"P"‘^P‘"(Ai) = Pr 




F : Af = 1 



-Pr 



Perm,: 



Af = 1 



If F: Keys{F) x {0, 1}” — >■ {0, 1}” is a cipher, then we also let 



AdvPfP-“"(A 2 ) = Pr 



F : = 1 



-Pr 



A Perm„ : A?’® = 1 



These capture the advantage of the distinguisher in question in the task of dis- 
tinguishing a random instance of F from a random permutation on D. In the 
first case, the distinguisher gets to query the challenge instance. In the sec- 
ond, it also gets to query the inverse of the challenge instance. For any integers 
t, Qe, Ae; h'd, we now let 



AdvP''P“‘'P’"(t, 9e, Ae) = max { 

Ai 

AdvP''P“''“(t, Qfe, Ae, dd, hd) = max { 

A2 



AdvP"P-“P"(Ai) } 

AdvPm--a(A^) I ^ 



The maximum is over all distinguishers having time-complexity t, making to 
the g oracle at most q^, queries totaling at most bits, and, in the second 
case, also making to the g~^ oracle at most queries totaling at most pd bits. 
We say that a PRP F is secure against chosen-plaintext attacks if the func- 
tion Adv^^^P '^P‘*'(t, qe) grows “slowly.” Similarly, we say that a PRP F is se- 
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cure against chosen- ciphertext attaeks if the function Adv^^ ‘^'^^{t,qe,qd) grows 
“slowly.” Time complexity includes the time to reply to oracle calls by compu- 
tation of F{K, •) or F(K, 

3 Online Ciphers and Their Basic Properties 

We say that a function /: Dd,™ is n-on-line if the i-th block of the 

output is determined completely by the first i blocks of the input. A more formal 
definition follows. We refer the reader to Section E| for the definition of 

Definition 1. Let n,d > 1 be integers, and let /: Dd,n — ^ Dd,n be a length- 
preserving function. We say that / is n-on-line if there exists a function X\ 
Dd,n — t {0, 1}" such that for every M G Dd,n and every i G \M\/n} it is 

the case that 

/W(M) = X{M[l]...M[i]) . 

A cipher F having domain and range a subset of Dd^n is said to be n-on-line if 
for every K G Keys{F) the function F{K, •) is on-line. | 



Definition 2. Let / be an n-on-line function. Let * > 1. Fix M[l], . . . , M[i—1] G 
{0, 1}”. Define the function {0, 1}" -)> {0, 1}” by 

...M[i- l]a;) 

for all X G {0, 1}”. I 



Proposition 1. If f is an n-on-line permutation, i>l and . . . , M[i—1] G 
{0, 1}", then the map ® permutation on {0, 1}". 



The proof of proposition Q is in the full version of this paper [Q . 



Pseudorandomness of on-line ciphers. Let OPerm^.n denote the family 
of all n-on-line, length-preserving permutations on Dd^n- A “secure” on-line ci- 
pher is one that closely approximates OPermd „; the “better” the approxima- 
tion, the more “secure” the on-line cipher. This formalization is analogous to 
the previously presented formalization of the pseudorandomness of ciphers. Let 
F: Keys{F) x Dd^n — t Dd,n be a family of functions with domain and range 
Dd^n- Let Al be a distinguisher with one oracle and A 2 a distinguisher with two 
oracles. Let 



Adv°P"P-“P"(Ai) = Pr 



R 

9^ F 



A{ = 1 



— Pr 



g A OPertTid 



A{ = 1 



If F: Keys{F) x {0, 1}" — >■ {0, 1}" is a cipher, then we also let 



Adv^P’'P"““(A 2 ) = Pr 



F : Af’S = 1 



-Pr 



g A OPermd,„ 




These capture the advantage of the distinguisher in question in the task of dis- 
tinguishing a random instance of F from a random, length-preserving, n-on-line 
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permutation on Dd^n- In the first case, the distinguisher gets to query the chal- 
lenge instance. In the second, it also gets to query the inverse of the challenge 
instance. For any integers t, ge, /ie> we now let 



AdvrP-cP‘^(t,ge,/te) = max{ Adv°/’-'’-^P"(Ai) } 

AdVpP''P“''“(t, ge,/Te,g<i,fid) = max{ Adv^P''P“''“(A 2 ) } . 

2^2 



The maximum is over all distinguishers having time-complexity t, making to 
the oracle g at most Qe queries totaling at most fj,g bits, and, in the second 
case, also making to the g~^ oracle at most qd queries totaling at most gid 
bits. We say that an online PRP (OPRP) F is secure against chosen plaintext 
attacks if the function Adv^P‘^P”‘^P‘‘(t, Me) grows “slowly.” Similarly, we say 
that an OPRP F is secure against chosen ciphertext attacks if the function 
Adv^P^^P i^e,qd, g^d) grows “slowly.” Time complexity includes the time 

to reply to oracle calls by computation of F{K, •) or F{K, . 



Tree-based characterization. We present a tree-based characterization of 
n-on-line ciphers that is useful to gain intuition and to analyze constructs. Let 
A = 2". An N-ary tree of functions is an N-ary tree T each node of which 
is labeled by a function mapping {0, 1}" to {0, 1}". We label each edge in the 
tree in a natural way via a string in {0, 1}". Then, each node in the tree is 
described by a sequence of edge labels defining the path from the root to the 
node in question. The function labeling node x in the tree, where x is a string 
of length ni for some 0 < z < d, is then denoted . A tree defines a function T 
from Dd^n to Dd,n as described below. If the nodes in the tree are labeled with 
permutations, then the tree also defines an inverse function T~^. 



T{M[1] . . . M[l]) 

X ^ e 

For z = 1, . . . , Z do 
C[z] ^ T,(M[i]) 
X ^ xllC)?] 
EndFor 

Return C[l] . . . C[l] 



T-\C[l]...C[l\) 

X ^ £ 

For z = 1, . . . , Z do 
M[z]^T-i(C[z]) 
X ^ a;||C[z] 
EndFor 

Return M[l] . . . M[l] 



Here, 1 < Z < cZ. Let G : Keys{G) x {0, 1}" — ?► {0, 1}" be a function family. 
(We are most interested in the case where G is Perm„ or Rand„_„.) We let 
Tree(rz, G, d) denote the set of all 2"-ary trees of functions in which each function 
is an instance of G and the depth of the tree is d. This set is viewed as equipped 
with a distribution under which each node of the tree is assigned a random 
instance of G, and the assignments to the different nodes are independent. We 
claim that a tree-based construction defined above is a valid characterization of 
on-line ciphers, as stated in the following proposition and proven in . 

Proposition 2. There is a bijection between Tree(zz, Perm„, d) and OPerm^^ n. 



Inversion. It turns out that the inverse of an on-line permutation is itself on- 
line, as stated below and proven in [p. 
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Proposition 3. Let f: Dd^n Dd^n be an n-on-line permutation, and let g = 
f~^. Then g is an n-on-line permutation. 

We note that the proof does not tell us anything about the computational com- 
plexity of function f~^, meaning it could be the case that / is efficiently com- 
putable, but the f~^ given by Proposition Elis not. However, whenever we design 
a cipher F, we will make sure that both F{K,-) and F~^{K,-) are efficiently 
computable given K, and will explicitly specify F~^ in order to make this clear. 



4 Analysis of Some Candidate Ciphers 



We consider several candidates for on-line ciphers. First, we consider one based 
on the basic CBC mode. Then, we consider the Accumulated Block Chain- 
ing (ABC) proposed by Knudsen in 0, which is a generalization of the Infi- 
nite Garble Extension mode proposed by Campbell 0- tiiis section, we let 
E: {0,1}®*^ X {0,1}" — >■ {0,1}" be a given block cipher with key size ek and 
block size n. 



CBC AS AN ON-LINE CIPHER. In CBC encryption based on E, one usually uses 
a new, random IV for every message. This does not yield a cipher, let alone an 
on-line one. To get an on-line cipher, we fix the IV. We can, however, make it 
secret; this can only increase security. In more detail, the CBC cipher associated 
to E, denoted OCBC, has key space {0, 1}®^+". For M,C € Dd^n, eK G {0, 1}®^ 
and C[0] G {0, 1}", we define 

OCBC(eA||C[0], M) OCBC"\eA||C[0], C) 

Parse M as M[l] . . . M[l\ with I > 1 Parse C as C[l] . . . C[r\ with I > 1 



For i = 1, . . . ,l do 

C\i] ^ E{eK,M\i](BC[i-l]) 
Return C[l] . . . C[l] 



For i = 1, . . . , Z do 

M\i] ^ E-\eK,C\i])®C[i-l] 
Return M[l] . . . M[l] 



Here, C[0] is the IV. The key is the pair eA||C[0], consisting of a key eK for the 
block cipher, and the IV. It is easy to check that the above cipher is on-line. For 
clarity, we have also shown the inverse cipher. We now present the attack. The 
adversary A shown in Figure Q gets an oracle g where g is either an instance of 
OCBC or an instance of OPerm^ We claim that 

Adv°PcBc''^’'(^) > 1 - 2”" . (1) 

We justify Equation m in the full version of this paper • Since A made only 
3 oracle queries, this shows that the CBC mode with a fixed IV is not a secure 
on-line cipher. 

The idea of the attack is to gather some input-output pairs for the cipher. 
Then we use these values to construct a new sequence of input blocks so that 
one of the input blocks to E collides with one of the previous input blocks to 
E. This enables us to predict an output block of the cipher. If our prediction is 
correct, then we know that the oracle is an instance of OCBC with overwhelming 
probability. 



Online Ciphers and the Hash-CBC Construction 



301 



Distinguisher A® 

Let M[l], . . . , M[l] be any n-bit strings 

Let Ml = 0"M[2] . . . M[l] and let Mz = 1"M[2] . . . M[l] 

Let Cill] . . . Ci[Z] ^ 5 (Mi) and let C 2 [l] . . . CzW ^ ^(Ma) 

Let Ms[2] = M[ 2 ]©Ci[ 1 ]©C 2 [ 1 ] and let M 3 = rM 3 [ 2 ]M[ 3 ] . . . M[l] 
Let C' 3 [ 1 ]...C 3 [Z] ^ 5 (M 3 ) 

If C 3 [ 2 ] = Ci[2] then return 1 else return 0 



Fig. 1. Attack on the CBC based on-line cipher. 



ABC AS AN ON-LINE CIPHER. Knudsen in (Zj proposes the Accumulated Block 
Chaining (ABC) mode of operation for block ciphers. This is an on-line cipher 
that is a natural starting point in the problem of finding a secure on-line cipher 
because it has the property of “infinite error propagation.” We formalize and 
analyze ABC with regard to meeting our security requirements. 

The mode is parameterized by initial values P[0],C'[0] S {0,1}" and also 
by a public function h: (0, 1}" — >■ (0, 1}”. (Instantiations for h suggested in jjj 
include the identity function, the constant function always returning 0" , and the 
function which rotates its input by one bit.) We are interested in the security of 
the mode across various settings and choices of these parameters. (In particular, 
we want to consider the case where the initial values are public and also the case 
where they are secret, and see how the choice of h impacts security in either 
case.) Accordingly, it is convenient to first introduce auxiliary functions EABC 
and DABC. For M,C G and eK G (0, 1}*^, we define 



EABC(eA,P[0],C'[0],M) 

Parse M as M[l] . . . M[l] with I 
For i = 1, . . . , Z do 

P\i] G- M[i\®h{P[i - 1]) 

C[i\ G- E{eK , P[i\®C[i - 1]) 
®P[i - 1] 

EndFor 

Return C[l] . . . C[l] 



> 1 



DABC(eA,P[0],C'[0],C) 

Parse C as C[l] . . . C[l] with I > 1 
For i = 1, . . . ,l do 



P[i\ G- E~\eK, C[i\®P[i - 1]) 
®C[i - 1] 

M[i\ G- P[i\®h{P[i - 1]) 
lEndFor 

Return M[l] . . . M[l] 



We now define two versions of the ABC cipher. The first uses public initial 
values, while the second uses secret initial values. The ABC cipher with public 
initial values associated to E, denoted PABC, has key space (0, 1}^ and domain 
and range Dd^n- We fix values P[0], C[0] G (0, 1}" which are known to all parties 
including the adversary. We then define the cipher and the inverse cipher as 
follows: 



PABC(eA,M) PABC”^(eA, C) 

Return EABC(eA, P[0], C[0], M) Return DABC(eA, P[0], ^[O], C) 

The ABC cipher with secret initial values associated to E, denoted SABC, has 
key space {0, l}^+2" and domain and range Dd^n- The key is eAr||P[0]||C'[0]. We 
then define the cipher and the inverse cipher as follows: 
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Distinguisher 

Let M[l], . . . , M[l] be any n-bit strings 

Let Ml = 0"M[2] . . . M[l] and let M 2 = 1"M[2] . . . M[l] 

Let Cill] . . . Ci[Z] ^ 5 (Mi) and let C 2 [l] . . . C 2 W ^ g{M 2 ) 

Let Ms[2] = M[2] © Ci[l] © C 2 [l] © h{0"®h{P[0])) © /i(r©fe(P[0])) 
Let Ms = l"Ms[2]M[3] . . . M[l] 

Let C 3 [l]...C 3 [l]^ g(M 3 ) 

If Cs[2] = C'i[2]©l", then return 1 else return 0 



Fig. 2. Attack on the ABC based on-line cipher. 



SABC(eif||P[0]||C[0],M) SABC~^(eA:||P[0]||C'[0], C) 

Return EABC(eAT, P[0], C[0], M) Return DABC(eAT, P[0], ^[O], C) 

It is easy to check that both the above ciphers are n-on-line. 

We show that the ABC cipher with public initial values is not a secure OPRP 
for all choices of the function h. The attack is shown in Figure |3 The adversary 
A gets an oracle g where g is either an instance of PABC or an instance of 
OPerm£i_„. The adversary can mount this attack because the function h as well 
as the value P[0] are public. We claim that 

> 1 - 2 • 2 "” . ( 2 ) 

Since A made only three oracle queries, this means that PABC is not a secure 
on-line cipher. 

We show that the ABC cipher with secret initial values is not a secure OPRP 
for a class of functions h that includes the ones suggested in |7] . Specifically, let 
us say that a function h: {0, 1}” — >■ {0, 1}” is linear if h{x®y) = h{x)(Bh{y) 
for all x,y G {0, 1}”. (Notice that the identity function, the constant function 
always returning 0", and the function which rotates its input by one bit are all 
linear.) For any linear hash function h, we simply note that the above attack 
applies. This is because the fourth line of the adversary’s code can be replaced 
by 



Let M3 [2] = M[2] © Ci[l] © C2[l] © A(0”) © /i(l”) 

The adversary can compute M3 [2] because h is public. The fact that h is linear 
means that the value M3 [2] is the same as before, so the attack has the same 
success probability. The analysis for the attacks against both PABC and SABC 
appear in the full version of this paper • 



5 Lemmas about AXU Families 

Our constructions of on-line ciphers will use the families of AXU (Almost Xor 
Universal) functions as defined by Krawczyk |B|. We recall the definition, and 
then prove some lemmas that will be helpful in our analyses. 
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Definition 3. Let n,hk > 1 be integers, and let H\ {0, 1}^*^ x {0, 1}" — >■ {0, 1}*^ 
be a family of functions. Let 






max I Pr iC A {0, 1}^^ : H{K,X\) ® H{K,X 2 ) = y | 
3 : 1 , 312,1/ 1 L J J 

where the maximum is over all distinct xi,X 2 S {0, 1}" and all y S {0, 1}”. 



The “advantage function” based notation we are introducing is novel: previous 
works used instead the term “e-AXU” family to refer to a family H that, in our 
notation, has < e. We find the “advantage function” based notation 

more convenient, and more consistent with the rest of our security definitions. 

The definition is information-theoretic, talking of the maximum value of some 
probability. We will find it convenient to think in terms of an adversary attacking 
the scheme, and will use the following lemma. We stress that below there are no 
limits on the running time of the adversary. This lemma is standard, and follows 
easily from Definition 0 so we omit the proof. 



Lemma 1. Let n,hk > 1 be integers, and let H: {0, 1}^^ x {0, 1}" — >■ {0, 1}" 
be a family of functions. Let A be any possibly probabilistic algorithm that takes 
no inputs and returns a triple (xi,X 2 ,y) of n-bit strings. Then 



Pr 



(xi, X2, y) -4— j4 ; A •<— {0, 1}^^ 



H{K,xi) © H{K,X 2 ) = y 



< Adv^™. 



In the formulation of Lemma ^ it is important that the adversary is constrained 
to pick x\,X2,y before the K is chosen. In our upcoming analyses, we will, 
in contrast, be considering an adversary that obtains some partial information 
regarding H{K,-) in the course of its search for a certain kind of “collision,” 
and uses this to guide its search. Specifically, our adversary B can be viewed 
as having access to an oracle that knows a key K . The adversary functions in 
stages. In stage i, it produces a pair (xi,yi) of values which it submits to the 
oracle. The latter responds with a bit indicating whether or not there exists 
some j G {1, ...,* — 1} such that H{K,Xj)®H{K,Xi) = yj®yi. (The oracle is 
stateful because it has to remember the adversary queries from previous stages in 
order to be able to answer the current query.) We wish to argue that the partial 
information about H{K, •) that is obtained by the adversary via this process is 
not too large. Specifically, we argue that the probability that the adversary ever 
gets back a positive response from the oracle is O(g^) • Adv^'^. 

In the formal definition that follows, we first describe an algorithm that serves 
as a stateful oracle discussed above. Then, we describe an experiment in which 
the adversary B with oracle access to the algorithm is executed. 

Definition 4. Let H: {0, 1}^*^ x {0, 1}" — >■ {0, 1}" be a family of hash functions, 
and let hK be a string of length hk. We define the following stateful algorithm 
D. It maintains a counter i and arrays X,Y, and takes n-bit strings x,y as 
inputs. Then, we let B be an adversary with oracle access to D^k and define an 
experiment in which B executes. 

Algorithm DhK{x,y) 

i + 1; r^O; X[i] ^ x ; Y[i] ^ y 
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For j = 1, . . . , i — 1 do 

If {H{hK ,X[j])®Y[j] = H{hK ,X[i])®Y[i]) and {X[j]^X[i]) then r-<^j 
EndFor 
Return r 

Experiment 

hK A {0, 

Initialize D^k with i = 0 and X, Y empty 
Run until it halts 

If B made some oracle query that received a non-zero response, 
then return 1, else return 0. 

We define the advantage of the adversary B and the AXU-Collision advantage 
function of H as follows. For any integer q, 

Adv“™(B) = Pr[Exp^^"““(R) = 1] 

Adv^^"““(q) = max{ Adv^^"““(R) } 

where the maximum is taken over all adversaries making q queries. | 

The following lemma states the relationship between Definition El and 
Definition 0 The proof is presented in the full version of this paper 

Lemma 2. Let H: {0, 1}^* x {0, 1}” — )> {0, 1}" he a family of hash functions. 
Then, 

Advr'“(9) < g(g-l)-Advr- 



6 The HCBC Cipher 

In this section, we suggest a construction of an on-line cipher. We call it HCBC 
and prove its security against chosen-plaintext attacks. This construction is sim- 
ilar to the CBC mode of encryption. The only difference is that each output 
block passes through a keyed hash function before getting exclusive-or-ed with 
the next input block. The key of the hash function is kept secret. 



Construction 1. Let n,d > 1 be integers, and let E: {0,1}®^ x {0,1}” — )> 
{0,1}” be a block cipher. Let H: {0,1}^^ x {0,1}” — >■ {0,1}” be a family of 
hash functions. We associate to them a cipher HCBC: {0, 1}^^+^'= x D^ n 
A key for it is a pair eK\\hK where eK is a key for E and hK is a key for El. The 
cipher and its inverse are defined as follows for M, C G Dd^n - Figure 01 illustrates 
the cipher. 
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Fig. 3. The HCBC cipher. 



HQEQ{eK\\hK,M) 

Parse M as M[l] . . . M[l] with I > 

C[0] ^ 0” 

For i = 1, . . . ,l do 

P\i] ^ H{hK, C[i - 1]) © M[i\ 
C[{\ ^ E{eK,P[i\) 

EndFor 

Return C[l] . . . C[l] 



1 Parse C as C[l] . . . C[l] with I > 1 
C[0] ^ O'* 

For i = 1, . . . ,l do 

P\i] ^ E~^{eK,C\i]) 

M\i] ^ H{hK, C[i - 1]) © P[i] 
EndFor 

jpeturn M\\] . . . M[l\ | 



The following theorem implies that, if E is a PRP secure against chosen-plaintext 
attacks and H is an AXU family of hash functions, then HCBC is an OPRP secure 
against chosen-plaintext attacks. 



Theorem 1. Let E: {0,1}®^ x {0,1}" — >■ {0,1}" be a block cipher, and let 
Et: {0,1}^* X {0,1}" — >■ {0,1}" be a family of hash functions. Let HCBC be 
the n-on-line cipher associated to them as per Construction^ Then, for any 
integers t,qe,p,e > 0 such that p,e/n < 2"“^, we have 



Adv™"(i,9e,Me) < 

• Adv- 



pf, + 2n(ge + l)/ie 
• 2 " 



HCBC is not secure against chosen-ciphertext attacks. We present an attack in 
the full version of this paper . 

A complete proof of Theorem Ecan be found in the full version of this paper 
IP. In the rest of this section, we provide an overview of this proof. 

We introduce the notation HCBC,r(/iiC, •) to denote an instance of a cipher 
defined by Construction E where a permutation tt and are used in place of a 
permutation from the family E and its inverse, respectively. The proof looks at 
an on-line cipher as a 2"-ary tree of permutations on {0,1}", and goes through 
a hybrid argument involving a sequence of different games that “move” from 
OPerrrirf^ji to HCBC. Let A be an adversary that has oracle access to a length- 
preserving function /: Dd^n Dd^n- We assume that A makes at most oracle 
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queries the sum of whose lengths is at most bits. We define three games 
associated with the adversary A as follows. 

Game 1. Choose a tree of random permutations T A Tree(n, Perm„, d). Run 
A, replying to its oracle queries via T as described in Section 0 Let Pi be the 
probability that A returns 1. 

Game 2. Choose a random permutation, tt A Perm„, and choose a random key 
for H via hK A {0, 1}^^. Run A, replying to its oracle queries via HCBC-j^^hK , •). 
Let P 2 be the probability that A returns 1. 

Game 3. Choose random keys for E and H via eK A {0,1}®*^ and hK A 
{0, respectively. Run A, replying to its oracle queries via HCBC(eiL||/iiir, •). 
Let P3 be the probability that A returns 1. 

By the definition of we have 

AdvXI’rP"(A) = P3 - Pi = (P3 - P2) + (P2 - Pi) . (3) 

We bound the difference terms via the following lemmas: 

Lemma 3. P3 — P2 < fXe/n, fJ-e) 

Lemma 4. P2 - Pi < ^ + Adv^™-“(^,/n) 

Equation Lemma 13 and the above lemmas imply the statement of the the- 
orem. We proceed to discuss the proofs of the lemmas. 

The proof of Lemma 0is a standard simulation argument, detailed in 0. The 
rest of this section is devoted to an overview of the proof of Lemma 0 We let 
Ml , . . . , Mq^ denote A’s queries, where Mj = Mj [1] . . . Mj [Ij] for j = 1 , . . . , 
Let hK denote the key of the hash function, and tt the choice of permutation 
from Perm„, that under ly Game 2. Then we introduce the following notation in 
this game: 

For each j = 1, . . . , gg 
Let Gj[0] = O’" 

For i = 1, . . . ,lj 

Let Pj[i] = H{hK, Cj[i — 1]) © Mj[i] and let Cj[i] = Tr{Pj[i]) 

We now define some events in Game 2: 

Event ZO2 : There exist (i,j) such that 1 < j < (?g, 1 < * < and 

Event HC : There exist (i,j), such that 1 < j < / < 9g, 1 < i < Ij, 

1 < i' < Ijf and Pj[i] = Pj'[i'], but Cj[i — 1] yf Cj'ii' ~ 1] 

Event B2 : ZO2 V HC. 

Now let T denote the random choice of tree from Tree(n, Perm„, d) that underlies 
Game 1 and introduce the following notation in this game: 
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For each j = 1, ... ,qg 
Let Xj [0] = e 
For i = 1, . . . , 

Let Cj[i] = and let Xj[i] = Xj[i — l]||Cj[j] 

We now define some events in Game 1: 

Event ZOi : There exist {i,j) such that 1 < j < Qe, ^ < i < Ij and 

Event OC : There exist (*, j), {i' ,j') such that 1 < J < j' < ge, 1 < t < Ij, 

I <i' < Iji and Xj[i — 1] ^ ~ 1] but Cj[i] = 



Event Bi : ZOi V OC 



Let Pri[-] denote the probability function underlying Game 1, namely that 
created by the random choice T A Tree(n, Perm„, d), and let Pr 2 [-] denote the 
probability function underlying Game 2, namely that created by the random 
choices of tt and hK . Let F denote •)• 

Claim. Pr 2 [^^ = 1 1 Ba] =Pri[A^ = 1| Bi] 

Given this claim, a conditioning argument can be used to show that 
P 2 -Pi< Pr 2 [HC] +Pr2[Z02] +Pri[Bi] . 



The terms are bounded via the following claims: 



Claim. Pr 2 [HC] < Adv5f"''="(^e/^) I 

Claim. Pr2[Z02] < I 

n • 2” 



Claim. Pri [ Bi ] < 



2nqeHe 



The proofs of the four claims above can be found in (Q. We conclude this sketch 
by providing some intuition regarding the choice of the “bad” events, beginning 
with the following definition. 



Definition. Suppose f < j,j' < q, 1 < i < Ij and 1 < < Ij'. We say that 

(i, j) ^ (^^ jO ib either j = j' and i < i', or j < j' . We say that {i',j') is trivial 
if there exists some j < j' such that m' < |LCP„(M,, Mji)\. 

We claim that the bad event B 2 has been chosen so that, in its absence, the 
following is true for every non-trivial (*',/): If (*, j) ^ (*^ jO Iben Pj[i] yf Pj'[i']- 
In other words, any two input points to the function tt are unequal unless they 
are equal for the trivial reason that the corresponding message prefixes are equal. 
This means that in the absence of the bad event, ciphertext blocks whose value 
is not “forced” by message prefix conditions are random but distinct, being 
outputs of a random permutation. We have choosen event Bi in Game 1 so that 
the output distribution here, conditioned on the absence of this event, is the 



same. 
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7 Usage of Online Ciphers 



The use of an on-line ciphers can provide strong privacy and authenticity prop- 
erties, even though the cipher itself is weak compared to a standard one, if 
the plaintext space has appropriate properties. This follows via the the encode- 
then-encipher paradigm of 0 , under which we imagine an explicit encoding step 
applied to the raw data before enciphering. While @] say that randomness and 
redundancy anywhere in the message suffices, we have to be more constrained: 
we prepend randomness and append redundancy. 



Construction 2. Let n,d be integers, and let F: Keys{F) x n n 

be a cipher. We associate to them the following symmetric encryption scheme 
S£ = {JC,£,V): 



Algorithm /C 
K A Keys{F) 
Return K 



Algorithm £{K, M) 
r A {0,1}" 

X ^ r||A/||0" 

C ^ F{K, x) 
Return C 



Algorithm T>{K,C) 
x^F~\K,C) 

If I a; I < 3n then return T 
Parse x as r||Af||T with |r' 
If T = 0" then return M 
Else return T | 



T 



= n 



We want to show that this scheme provides privacy, when F is an n-on-line 
cipher secure against chosen-plaintext attacks, and authenticity, when F is an 
n-on-line cipher secure against chosen-ciphertext attacks. Definitions for these 
privacy and authenticity notions are standard (see for example jS]). Briefly, the 
symmetric encryption scheme achieves privacy and is called IND-CPA-secure if 
no polynomial time adversary, which gets to see ciphertexts for plaintexts of its 
choice and is given a challenge ciphertext, can get “any” information about the 
underlying plaintext. The symmetric encryption scheme achieves integrity and 
is called INT-CTXT-secure if no polynomial time adversary, which gets to see 
ciphertexts of plaintexts of its choice, can create a “new” valid ciphertext. The 
following claims state our results. 

Proposition 4. Let F: Keys{F) x ^ n be an n-on-line cipher, and let 

S£ — (}C,£,'D) be the symmetric encryption scheme defined in Construction f7l 
Then, for any integers t,qe,pLf. > 0, 

< 2Advr”(i,<7e,Me) + ■ 

Also, for any integers t, q^, qd, pie, P-d > 0, 

Adv5£"'=*^*(t,ge,<?d,Me,Md) < 2Adv5P'''"'''“(<,ge,/re,gd,/id) + 1 ^ • 

That is, if F is an n-on-line cipher secure against chosen-plaintext attacks, then 
S£ is IND-CPA secure, and if F is also secure against chosen-ciphertext attacks, 
then S£ is INT-CTXT secure. 

The proof of Propositional is simple and follows |3j. We present it in Q. Note 
that if n-on-line ciphers are used to encrypt messages which by their nature start 
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with at least n random bits and end with some fixed sequence of n bits than 
we get a symmetric encryption scheme that achieves privacy and integrity and, 
moreover, is length-preserving. 
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Abstract. We study the question of how to generically compose sym- 
metric encryption and authentication when building “secnre channels” 
for the protection of communications over insecure networks. We show 
that any secure channels protocol designed to work with any combina- 
tion of secure encryption (against chosen plaintext attacks) and secure 
MAC must use the encrypt-then-authenticate method. We demonstrate 
this by showing that the other common methods of composing encryp- 
tion and authentication, including the authenticate-then-encrypt method 
used in SSL, are not generically secure. We show an example of an en- 
cryption function that provides (Shannon’s) perfect secrecy but when 
combined with any MAC function under the authenticate-then-encrypt 
method yields a totally insecure protocol (for example, finding passwords 
or credit card numbers transmitted under the protection of such protocol 
becomes an easy task for an active attacker). The same applies to the 
encrypt-and-authenticate method used in SSH. 

On the positive side we show that the authenticate-then-encrypt method 
is secnre if the encryption method in use is either CBC mode (with an 
underlying secure block cipher) or a stream cipher (that xor the data 
with a random or pseudorandom pad). Thus, while we show the generic 
security of SSL to be broken, the current practical implementations of 
the protocol that use the above modes of encryption are safe. 



1 Introduction 

The most widespread application of cryptography in the Internet these days is 
for implementing a secure channel between two end points and then exchanging 
information over that channel. Typical implementations first call a key-exchange 
protocol for establishing a shared key between the parties, and then use this 
key to authenticate and encrypt the transmitted information using (efficient) 
symmetric- key algorithms. The three most popular protocols that follow this 
approach are SSL (or TLS [S|), IPSec |1 I b) and SSH ^Zj. In particular, 
SSL is used to protect a myriad of passwords, credit card numbers, and other 

* A full version of this paper can be found in m- 

J. Kilian (Ed.): CRYPTO 2001, LNCS 2139, pp. 310- nTl 2001. 

© Springer- Verlag Berlin Heidelberg 2001 
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sensitive data transmitted between Web clients and servers, and is used to secure 
many other applications. IPSec is the standard for establishing a secure channel 
between any two IP entities for protecting information at the network layer. 

As said, all these protocols apply both symmetric authentication (MAC) and 
encryption to the transmitted data. Interestingly, each of these three popular 
protocols have chosen a different way to combine authentication and encryption. 
We describe these three methods (here a; is a message; Sncf) is a symmetric 
encryption function; Authf) is a message authentication code; and denotes 
concatenation — in this notation the secret keys to the algorithms are implicit): 

SSL: a = Auth{x), C = £nc{x, a), transmit C 

IPSec: C = £nc{x), a = Auth{C), transmit (C, a) 

SSH: C = £nc{x), a = Auth{x), transmit (C, a). 

We refer to these three methods as authenticate-then-encrypt (abbreviated AtE), 
encrypt-then- authenticate (EtA), and encrypt- and- authenticate (E&A), respec- 
tively. 

This disparity of choices reflects lack of consensus in the cryptography and 
security communities as for the right way to apply these functions. But is there 
a “right way”, or are all equally secure? Clearly, the answer to this question 
depends on the assumptions one makes on the encryption and authentication 
functions. However, since protocols like the above are usually built using crypto- 
graphic functions as replaceable modules, the most useful form of this question is 
obtained by considering both functionalities, encryption and authentication, as 
generic cryptographic primitives with well defined (and independent from each 
other) properties. Moreover, we want these properties to be commonly achieved 
by the known efficient methods of symmetric encryption and authentication, and 
expected to exist in future practical realizations of these functions as well. 

Specifically, we consider generic MAC functions secure against chosen-messa- 
ge attacks and generic symmetric encryption functions secure against chosen- 
plaintext attacks. These security properties are the most common notions used 
to model the security of these cryptographic primitives. In particular, chosen- 
message security of the authentication function allows to use the MAC in the 
above protocols independently of the encryption in cases where only integrity 
protection is required but not secrecy. As for encryption, chosen-plaintext secu- 
rity is the most common property under which encryption modes are designed 
and analyzed. We note that a stronger property of encryption is resistance to 
chosen-ciphertext attacks; while this property is important against active at- 
tacks it is NOT present in the prevalent modes of symmetric encryption (such 
as in stream ciphers or CBC mode even when the underlying block cipher is 
chosen-ciphertext secure) and therefore assuming this strong property as the 
basic secrecy requirement of the encryption function would exclude the use of 
such standard efficient mechanisms. 

Rather than just studying the above ways of composing encryption and au- 
thentication as a stand-alone composed primitive, our focus is on the more com- 
prehensive question of whether these methods provide for truly secure commu- 
nications (i.e., secrecy and integrity) when embedded in a protocol that runs in 
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a real adversarial network setting (where links are controlled by the attacker, 
where some of the parties running the protocol may be corrupted, where multiple 
security sessions are run simultaneously and maliciously interleaved, etc.). 

Recent results. In a recent work, Canetti and Krawczyk |Hj describe a model 
of secure channels that encompasses both the initial exchange of a key between 
pairs of communicating parties and the use of the resultant shared key for the 
application of symmetric encryption and authentication on the transmitted data. 
The requirements made from secure channels in this model include protecting the 
data’s integrity (in the sense of simulating ideally authenticated channels) and 
secrecy (in the sense of plaintext indistinguishability) in the presence of a net- 
work attacker with powerful and realistic abilities of the type mentioned above. A 
main result in 0 is that if the key is shared securely then applying to the data 
the encrypt-then-authenticate method achieves secure channels provided that 
the encryption function is semantically secure (or plaintext-indistinguishable) 
under a chosen-plaintext attack and the authentication function is a MAC that 
resists chosen message attacks. This provides one important answer to the ques- 
tions raised above: it proves that encrypt-then-authenticate is a generically secure 
method for implementing secure channels. 

Our results. In this paper we complement the above result on the encrypt- 
then-authenticate method with contrasting results on the other two methods. 
The generic insecurity of AtE. We show that the authenticate-then- 
encrypt method (as in SSL) is not generically secure under the sole assumption 
that the encryption function is secure against chosen plaintext attacks and the 
MAC secure against chosen message attacks. We show an example of a simple 
encryption function that enjoys perfect (in the sense of Shannon) secrecy against 
chosen plaintext attacks and when combined under the AtE method with any 
MAC (even a perfect one) results in a totally breakable implementation of se- 
cure channels. To illustrate the insecurity of the resultant scheme we show how 
passwords (and credit card numbers, etc) transmitted under such a method can 
be easily discovered by an active attacker that modifies some of the information 
on the links. A major issue to highlight here is that the attack is not against 
the authenticity of information but against its secrecy! This result is particu- 
larly unfortunate in the case of SSL where protection of this form of sensitive 
information is one of the most common uses of the protocol. 

The generic insecurity of B&A. The above example is used also to demon- 
strate the insecurity of the encrypt-and-authenticate method (as in SSH) where 
the same attack (and consequences) is possible. It is worth noting that the B&A 
is obviously insecure if one uses a MAC function that leaks information on the 
data. However, what our attack shows is that the method is not generically se- 
cure even if one assumes a stronger MAC function with secrecy properties as 
commonly used in practice (e.g. a MAC realized via a pseudorandom family or 
if the mac’s tag itself is encrypted). 

The security of AtE with specific encryption modes. This paper 
does not bring just bad news. We also show that the authenticate-then-encrypt 
method is secure under two very common forms of encryption: CBC mode (with 
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an underlying secure block cipher) and stream ciphers (that xor the data with 
a random or pseudorandom pad). We provide a (near optimal) quantified secu- 
rity analysis of these methods. While these positive results do not resolve the 
“generic weakness” of the authenticate-then-encrypt method (and of SSL), they 
do show that the common implementations currently in use do result in a secure 
channels protocol. 

In conjunction, these results show a quite complete picture of the security 
(and lack of security) of these methods. They point to the important conclu- 
sion that any secure channels protocol designed to work with any combination of 
secure encryption (against chosen plaintext attacks) and secure MAC must use 
the encrypt-then-authenticate method. On the other hand, protocols that use 
the authenticate-then-encrypt method with encryption in either stream cipher 
or CBC modes are safe. However, we note the fragility of this last statement: 
very simple (seemingly innocuous) changes to the encryption function, including 
changes that do not influence the secrecy protection provided by the encryption 
when considered as a stand-alone primitive, can be fatal for the security of the 
implemented channels. This is illustrated by our example of a perfect cipher 
where the sole use of a simple encoding before encryption compromises the se- 
curity of the transmitted data, or by the case of CBC encryption where the join 
encryption of message and MAC results in a secure protocol but separate en- 
cryption of these elements is insecure. Thus, when using a non-generically secure 
method one has to be very careful with any changes to existing functions or with 
the introduction of new encryption mechanisms (even if these mechanisms are 
secure as stand-alone functions). 

Open question. Our results demonstrate that chosen-plaintext security is not a 
sufficient condition for an encryption scheme to guarantee a secure authenticate- 
then-encrypt composition even if the MAC is secure. An interesting open ques- 
tion is to find a stronger property that is enjoyed by common modes of encryption 
but at the same time is sufficient to ensure the security of the authenticate-then- 
encrypt method when combined with a secure MAC. Note that we are looking 
for a property that is significantly weaker than chosen-ciphertext security since 
the latter is not achieved by most symmetric encryption modes, but also because 
our results show that this condition is not really necessary. 

Related work. While the interaction between symmetric encryption and au- 
thentication is a fundamental issue in the design of cryptographic protocols, this 
question seems to have received surprisingly little explicit attention in the cryp- 
tographic literature until very recently. In contrast, in the last year we have seen 
a significant amount of work dealing with this and related questions. 

We already mentioned the work by Canetti and Krawczyk 0 that estab- 
lishes the security of the encrypt-then-authenticate method for building secure 
channels. Here, we use this result (and some extensions of it) as a basis to de- 
rive some of our positive results. In particular, we borrow from that paper the 
formalization of the notion of secure channels; a short outline of this model is 
presented in Section fZ..3l but the reader is referred directly to ^ for the (many 
missing) details. 
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A recent, independent, work that deals directly with the ordering of generic 
encryption and authentication is Bellare and Namprempre 0. They study the 
same three forms of composition as in this paper but focus on the properties 
of the composed function as a stand-alone composed primitive rather than in 
the context of its application to secure channels as we do. The main contribu- 
tion of 1^ is in providing careful quantitative relations and reductions between 
different methods and security notions related to these forms of composition. 
These results, however, are insufficient in general for claiming the security, or 
demonstrating the insecurity, of channels that use these methods for protecting 
data. For example, while show that authenticate-then-encrypt is not neces- 
sarily CCA-secure, it turns out (by results in 0 and here) that the lack of this 
property is no reason to consider insecure the channels that use such a method 
(moreover, even the specific non-CCA example in 0 does provide secure chan- 
nels). This demonstrates that the consideration of secure channels requires a 
finer treatment of the question of encryption/authentication composition (see 
discussion at the beginning of Section I4.2|l . In particular, none of our results is 
claimed or implied by 0. 

A related subject that received much attention recently is the construction of 
encryption modes that provide integrity in addition to secrecy. Katz and Yung 
m suggest a mode of operation for block ciphers that provides such functional 
combination; for their analysis (and for its independent interest) they introduce 
the notion of “unforgeable encryption” . A very similar notion is also introduced 
in 0 and called there “integrity of ciphertexts” (INT-CTXT). We use this notion 
in our work too (see Section 0) as a tool in some of our proofs. In another 
recent work. An and Bellare 0 study the use of redundancy functions (with 
and without secret keys) as a method for adding authentication to encryption 
functions. They show several positive and negative results about the type of 
redundancy functions that are required in combination with different forms of 
encryption and security notions. Our results concerning the authenticate-then- 
encrypt method with stream ciphers and CBC modes contribute also to this 
research direction since these results provide sufficient and necessary conditions 
on the redundancy functions (viewed as MAC functions) required for providing 
integrity to these important modes of encryption. Of particular interest is our 
proof that a secure AtE composition that uses CBC encryption requires a strong 
underlying MAC; this contradicts a common intuition that (since the message 
and MAC are encrypted) weaker “redundancy functions” could replace the full- 
hedge MAC. 

Recently, Jutla HS| devised an elegant CBC-like scheme that provides in- 
tegrity at little cost beyond the traditional CBC method, as well as a parallel 
mode of encryption with integrity guarantee (a related scheme is presented in 
m)- We note that while schemes such as [El can be used to efficiently imple- 
ment secure channels that provide secrecy and authenticity, generic schemes like 
encrypt-then-authenticate have several design and analysis advantages due to 
their modularity and the fact that the encryption and authentication compo- 
nents can be designed, analyzed and replaced independently of each other. In 



The Order of Encryption and Authentication for Protecting Communications 315 



particular, generic schemes can allow for faster implementations than the spe- 
cific ones; even today the combination of fast stream ciphers with a fast MAC 
function such as UMAC 0 under the encrypt-then-authenticate method would 
result in a faster mechanism than the one proposed in HSl which requires the 
use of block ciphers. Also, having a separate MAC from encryption allows for 
much more efficient authentication in the cases where secrecy is not required. 

2 Preliminaries 

We informally outline some well-known notions of security for MAC and en- 
cryption functions as used throughout the paper, and introduce some notation. 
References are given below for formal treatment of these notions. We also sketch 
the model of “secure channels” from 0. 

2.1 Secure Message Authentication 

Functions that provide a way to verify the integrity of information (for example, 
against unauthorized changes over a communications network) and which use 
a shared secret key are called MAC {message authentication codes). The notion 
of a MAC and its security definition is well understood 0 . Here we outline the 
main ingredients of this definition as used later in the paper. 

A MAC scheme is described as a family of (deterministic) functions over 
a given domain and range. (We will usually assume the domain to be {0, 1}* 
and the range {0, 1}" for fixed size n.). The key shared by the parties that use 
the MAC scheme determines a specific function from this family. This specific 
function is used to compute an authentication tag on each transmitted message 
and the tag is appended to the message. A recipient of the information that 
knows the MAC key can re-compute the tag on the received message and compare 
to the received tag. Security of a MAC scheme is defined through the inability of 
an attacker to produce a forgery, namely, to generate a message, not transmitted 
between the legitimate parties, with its valid authentication tag. The formal 
definition of security provides the attacker with access to a MAC oracle Omac 
that on input a message x outputs the authentication tag corresponding to that 
message. The oracle uses for its responses a key that is generated according to 
the probability distribution of keys defined by the MAC scheme. The attacker 
succeeds if after this interaction with the oracle it is able to find a forgery (for a 
message not previously queried). To quantify security we say that a MAC scheme 
has security £m{< 1,Q,T) if any attacker that works time T and asks q queries 
from Omac involving a total of Q bits has probability at most £M{q,Q,T) to 
produce a forgery. 

Remark. In the case of MAC functions (e.g., randomized ones) where there 
may be multi-valued valid tags for the same message, we extend the definition of 
security as follows. If the messages queried to Omac are xi,X2, . . . ,Xq and the 
responses from Omac are t\,t2, . . . ,tq then a forgery {x, t) output by the attacker 
is considered valid if (x, t) fy {xi, ti) for alH = 1, . . . , g. (Namely, we consider the 
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attacker successful even in case its forgery includes a queried message as long 
as the tag t was not generated by the oracle for that message.) This technical 
strengthening of the definition is used in some of our results. This notion appears 
(due to similar reasons) also in 0. 



2.2 Secure Symmetric Encryption 

We do not develop a formal definition of encryption security here as the subject 
is well established and treated extensively in the literature. Yet, we summarize 
informally the main aspects of the security notions of symmetric encryption that 
are relevant to our work and establish some notation. For formal and precise 
definitions see the references mentioned below. 

An encryption scheme is a triple of (probabilistic) algorithms {KEYGEN, 
ENC, DEC) where KEYGEN defines the process (and resultant probability dis- 
tribution) by which keys are generated, while ENC and DEC are the encryption 
and decryption operations with the usual inverse properties. To simplify notation 
we use ENC to denote the encryption operation itself but also as representing 
the whole scheme (i.e., a triple as above). The main notion behind the common 
definitions of security of encryption is semantic security ca, or its (usually) 
equivalent formulation via plaintext indistinguishahility . In this formulation an 
attacker against a scheme ENC is given a target ciphertext y and two candidate 
plaintexts Xi,X 2 such that y = ENC{xi), i Ga {0, l}fl The encryption scheme 
has the indistinguishahility property if the attacker cannot guess the right value 
of i with probability significantly better than 1/2. The security of the scheme is 
quantified via the time invested by the attacker and the probability beyond 1 /2 
to guess correctly. 

The above describes the goal of the attacker but not the ways of attack it 
is allowed to use. Two common models of attack are CPA (chosen plaintext 
attack) and CCA (chosen ciphertext attack). In the first the attacker has access 
to an encryption oracle Oenc to which it can present plaintexts and receive the 
ciphertexts resulting from the encryption of these plaintexts. In the second model 
the attacker can, in addition to the above queries to the encryption oracle, also 
ask for decryptions of arbitrary ciphertexts (except for the target ciphertext 
y) from a decryption oracle Ouec- We note that both Oenc and Odec use 
the same key for their responses which is also the key under which the target 
ciphertext y, as described above, is produced. In both cases the queries to the 
oracles can be generated adaptively by the attacker, i.e. as a function of previous 
responses from the oracles and of the target ciphertext y (actually, also the 
candidate plaintexts X\,X 2 on which the target ciphertext y is computed can 
be chosen by the attacker). Under these formulations two new parameters enter 
the quantification of security: the number of queries to Oenc and the number 
of queries to ©dec (the latter is 0 in the case of CPA). A finer quantification 
would also consider the total number of bits in these queries. 

^ We use the notation a Gr A to denote that the element a is chosen with uniform 
probability from the set A. 
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As it is customary we denote the above two notions of encryption security 
as IND-CPA and IND-CCA. Extensive treatment of these notions can be found 
among other works in imm and E1I5IT7I . respectively. A notion strongly re- 
lated to IND-CCA is non-malleability of ciphertexts uni which we do not use 
directly here; a weaker notion of CCA security was introduced earlier in |23| . 
We also note that we are only concerned with symmetric encryption; asymmet- 
ric encryption shares many of the same aspects but there are some important 
differences as well (in particular, in the asymmetric case encryption oracles are 
meaningless since everyone can encrypt at will any plaintext). 

2.3 Secure Channels 

In order to claim our positive results, i.e. that a certain combination of en- 
cryption and authentication provides secure communications, we need to define 
what is meant by such “secure communications” . For this we use the model of 
secure channels introduced by Canetti and Krawczyk jSj and which is intended 
to capture the standard network-security practice in which communications over 
public networks are protected through “sessions” between pairs of communicat- 
ing parties, and where each session consists of two stages. First, the two parties 
run a key-exchange protocol that establishes an authenticated and secret session 
key shared between the parties. Then, in the second stage, this session key is 
used, together with symmetric-key cryptographic functions, to protect the in- 
tegrity and/or secrecy of the transmitted data. The formalism of |B| involves 
the definition of a key-exchange protocol for implementation of the session and 
key establishment stage, as well as of two functions, snd and rev, that define 
the actions applied to transmitted data for protection over otherwise insecure 
links. A protocol that follows this formalism is called in a “network channels 
protocol” , and its security is defined in terms of authentication and secrecy. 

These notions are defined in 0 in the context of communications controlled 
by an attacker with full control of the information sent over the links and with the 
capability of corrupting sessions and parties. We refer to the full version of 0 for 
a full description of the adversarial model and security definitions. Here we only 
mention briefly the main elements in this definition concerning the functions snd 
and rev. The function snd represents the operations and transformations applied 
to a message by its sender in order to protect it from adversarial action over 
the communication links. Namely, when a message m is to be transmitted from 
party P to party Q under a session s established between these parties, the 
function snd is applied to m and, possibly, to additional information such as a 
message identifier. The definition of snd typically consists of the application of 
some combination of a MAC and symmetric encryption keyed via the session 
key. The function rev describes the action at the receiving end for “decoding” 
and verifying incoming messages, and it typically involves the verification of a 
MAC and/or the decryption of an incoming ciphertext. 

Roughly speaking, |B| define that authentication is achieved by the protocol if 
any message decoded and accepted as valid by the receiving party to a session was 
indeed sent by the partner to that session. (That is, any modification of messages 
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produced by the attacker over the communications links, including the injection 
or replay of messages, should be detected and rejected by the recipient; in 0 this 
is formalized as the “emulation” of an ideally-authenticated channel.) Secrecy 
is formalized in the tradition of semantic security: among the many messages 
exchanged in a session the attacker chooses a pair of “test messages” of which 
only one is sent; the attacker’s goal is to guess which one was sent. Security 
is obtained if the attacker cannot guess correctly with probability significantly 
greater than 1/2. A network channels protocol is called a secure channels protocol 
if it achieves both authentication and secrecy in the sense outlined above. 

In this paper we focus on the way the functions snd and rev are to be defined 
to achieve secure channels, i.e. to provide both authentication and secrecy in 
the presence of an attacker as above. We say that any of the combinations 
EtA,AtE,E^ implements secure channels if when used as the specification of 
the snd and rev functions the resultant protocol is a “secure channels protocol” . 
Note that we are not concerned here with a specific key-exchange mechanism, 
but rather assume a secure key-exchange protocol |B|, and may even assume an 
“ideally shared” session key. 



3 CUF-CPA: Ciphertext Unforgeability 

In addition to the traditional notions of security for an encryption scheme out- 
lined in Section 15?^ we use the following notion of security that we call ciphertext 
unforgeability. A similar notion has been recently (and independently) used in 
m where it is called “existential unforgeability of encryption” and “integrity 
of ciphertexts (INT-CTXT)”, respectively. 

Let ENC be a symmetric encryption scheme, and fc be a key for ENC. Let 
P{k) be the set of plaintexts on which ENCk is defined, and C{k) be the set 
of ciphertexts {y : 3x € P{k) s.t. y = ENCk{x)} (note that if ENC is not 
deterministic then hy y = ENCk{x) we mean that there is a run of ENC on x that 
outputs y). We call C{k) the set of valid ciphertexts under key k. For example, 
under a block cipher only strings of the block length are valid ciphertexts while 
in the basic CBC mode only strings that are multiples of the block length can be 
valid ciphertexts. We assume that the decryption oracle Odec outputs a special 
“invalidity symbol” _L when queried with an invalid ciphertext (and otherwise 
outputs the unique decrypted plaintext x) . 

We say that an encryption scheme is ciphertext unforgeable, and denote it 
CUF-CPA, if it is infeasible for any attacker T (called a “ciphertext forger”) 
that has access to an encryption oracle Oenc with key k to produce a valid 
ciphertext under k not generated by Oenc as response to one of the queries by T . 
More precisely, we quantify ciphertext unforgeability by the function ^[/(g, Q, F) 
defined as the maximal probability of success for any ciphertext forger T that 
queries q plaintexts totalling Q bits and spends time T in the attack. We stress 
that this definition does not involve access to a decryption oracle and thus its 
name CUF-CPA (this is consistent with other common notations of the form 
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X-Y where X represents the goal of the attacker and Y the assumed abilities of 
the attacker). 

Our main use of the CUF-CPA notion is for proving (see Section |3) that 
under certain conditions the AtE composition is secure, i.e., it implements secure 
channels. However, the notion of CUF-CPA while sufficient for our purposes is 
actually stronger than needed. For example, any scheme ENC that allows for 
arbitrary padding of ciphertexts to a length-boundary (e.g., to a multiple of 
8-bits) will not be CUF-CPA (since given a ciphertext with padded bits any 
change to these bits will result in a different yet valid ciphertext). However, 
such a scheme may be perfectly secure in the context of implementing secure 
channels (see |S]); moreover, schemes of this type are common in practice. Thus, 
in order to avoid an artificial limitation of the schemes that we identify as secure 
for implementing secure channels we present next a relaxation of the CUF-CPA 
notion that is still sufficient for our purposes (we stress that this is not necessarily 
the weakest relaxation for this purpose and other weakenings of the CUF-CPA 
notion are possible). 

Let p be a polynomial-time computable relation on pairs of ciphertexts com- 
puted under the encryption function ENC with the property that p(c, c') implies 
that c and c' decrypt to the same plaintext. Then we say that the encryption 
scheme ENC is CUFp-CPA if for any valid ciphertext c that the attacker can fea- 
sibly produce there exists a ciphertext c' output by the encryption oracle such 
that p(c, c'). When the relation p is not explicitly described we will refer to this 
notion as loose ciphertext unforgeability. 

For instance, in the above example of a scheme that allows for arbitrary 
padding of ciphertexts, if one defines p(c, d) to hold if c and c' differ only on the 
padding bits, then the scheme can achieve CUFp-CPA. We note that while CUF- 
CPA implies CCA-security, loose CUF-CPA does not (as the above “padding 
example” shows). Indeed, as we pointed out in the introduction (see also Sec- 
tion CCA-security is not a necessary condition for a MAC/encryption com- 
bination to implement secure channels. 



4 Generic Composition of Encryption and Authentication 

In this section we study the security of the three methods, EtA, AtE, E&A, under 
generic symmetric encryption and MAC functions where the only assumption is 
that the encryption is IND-CPA and the MAC is secure against chosen mes- 
sage attacks. Our focus is on the appropriateness of these methods to provide 
security to transmitted data in a realistic setting of adversarially-controlled net- 
works. In other words, we are interested in whether each one of these methods 
when applied to adversarially-controlled communication channels achieve the 
goals of information secrecy and integrity. As we will see only the encrypt-then- 
authenticate method is generically secure. 
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4.1 The Known Security of Encrypt-then- Authenticate 

The results in this subsection are from jSj and we present them briefly for com- 
pleteness. We refer the reader to that paper for details. In particular, in the 
statement of the next theorem we use the notion of “secure channels” as intro- 
duced in the above paper and sketched in Section E3 

Theorem 1. jSj If ENC is a symmetric encryption scheme secure in the sense 
of IND-CPA and MAC is a secure MAC family then method EtA(ENC,MAC) 
implements secure channels. 

Following our terminology from Section f2..3L the meaning of the above theorem 
is that if in the network channels model of |H| one applies to each transmitted 
message the composed function EtA{ENC, MAC) (as the snd function) then the 
secrecy and authenticity of the resultant network channels is guaranteed. More 
precisely, in proving the above theorem, P] specify the snd function as follows. 
First, a pair of (computationally independent) keys, Ka and Ke, are derived 
from each session key. Then, for each transmitted message, m, a unique message 
identifier m-id is chosen (e.g., a sequence number). Finally, the function snd 
produces a triple {x,y,z) where x = m-id, y = ENCK,,{rn), z = MACK,^{m-id,y). 
On an incoming message {x',y',z') the rev function verifies the uniqueness of 
message identifier x' and the validity of the MAC tag 2 (computed on {x' ,y'))-, 
if the checks succeeds y' is decrypted under key Kg and the resultant plaintext 
accepted as a valid message 0 

A main contribution of the present paper is in showing (see next subsec- 
tions) that a generic result as in Theorem^ cannot hold for any of the other two 
methods, AtE and EkA (even if the used keys are shared with perfect security) . 
Therefore, any secure channels protocol designed to work with any combination 
of secure encryption (against chosen plaintext attacks) and secure MAC must 
use the encrypt-then-authenticate method. However, we note in Section 0 that 
the above theorem can be extended in the setting of method AtE if one as- 
sumes a stronger property on the encryption function; in particular, we show 
two important cases that satisfy the added security requirement. 

Remark. Note that the authentication of the ciphertext provides plaintext 
integrity as long as the encryption and decryption keys used at the sender and 
receiver, respectively, are the same. While this key synchrony is implicit in our 
analytical models 0, a key mismatch can happen in practice. A system con- 
cerned with detecting such cases can check the plaintext for redundancy in- 
formation (such redundancy exists in most applications: e.g., message formats, 
non-cryptographic checksums, etc.). If the redundancy entropy is significant then 
a key mismatch will corrupt this redundancy with high probability. 

^ Protocols that use a synchronized counter as the message identifier, e.g. SSL, do not 
need to transmit this value; yet they must include it under the MAC computation 
and verification. If transmitted, identifiers are not encrypted under ENC^e since 
they are needed for verifying the MAC value before the decryption is applied. 



The Order of Encryption and Authentication for Protecting Communications 321 



4.2 Authenticate-then-Encrypt Is Not Generically Secure 

Here we show that the authenticate-then-encrypt method AtE{ENC, MAC) is not 
guaranteed to be secure for implementing secure channels even if the function 
ENC is IND-CPA and MAC provides message unforgeability against chosen mes- 
sage attacks. First, however, we discuss shortly why this result does not follow 
from 0 where it is shown that the AtE composition (viewed as an encryp- 
tion scheme) does not necessarily provide IND-CCA. The reason is simple: as 
demonstrated in |B| IND-CCA is not a necessary condition for a combination of 
encryption and MAC functions to implement secure channels. An example is pro- 
vided by the main construction of secure channels in 0 (see Theorem : if the 
MAC used in this scheme enjoys regular MAC security, rather than the strength- 
ened notion described in the last remark of Section O then this construction 
guarantees secure channels but not necessarily CCA security. (For example, if 
the MAC function has the property that flipping the last bit of an authentication 
tag does not change the validity of the tag, then the scheme in jSj is not IND- 
CCA yet it suffices for implementing secure channels. For a similar example, see 
remark on “multi-valued MAC” following our Theorem El) Moreover, the spe- 
cific example from 0 of a non-CCA AtE{ENC, MAC) schem^ can by itself be 
used to show an example of a non-CCA scheme that provably provides secure 
channels. Therefore, the result in [5| does not say anything about the suitability 
of AtE(ENC, MAC) for implementing secure channels; it rather points out to the 
fact that while CCA security is a useful security notion it is certainly too strong 
for some (fundamental) applications such as secure channels. 

Thus if we want to establish the insecurity of authenticate-then-encrypt chan- 
nels under generic composition we need to show an explicit example and a suc- 
cessful attack. We provide such example now. In this example the encryption 
scheme is IND-CPA (actually, it enjoys “perfect secrecy” in the sense of Shan- 
non) but when combined with any MAC function under the AtE method the 
secrecy of the composed scheme breaks completely under an active attack. 

The encryption function ENC*. We start by defining an encryption scheme 
ENC* that can be based on any stream cipher ENC (i.e. any encryption function 
that uses a random or pseudorandom pad to xor with the data). The scheme 
ENC* preserves the IND-CPA security of the underlying scheme ENC. In par- 
ticular, if ENC has perfect secrecy (i.e., uses a perfect one-time pad encryption) 
so does ENC*. Next, we define ENC*. 

Given an n-bit plaintext x (for any n), ENC* first applies an encoding of x into 
a 2n-bit string x' obtained by representing each bit t = 1, . . . , n, in x with 
two bits in x' as follows: 

1. if bit Xi = 0 then the pair of bits (a; 2 i_i, a:^^) is set to (0,0); 

2. if bit Xi = 1 then the pair of bits (a: 2 i-n^ 2 i) to (0, 1) or to (1,0) (by 

arbitrary choice of the encrypting party). 

^ Just append an arbitrary one-bit pad to the ciphertext and discard the bit before 
decryption. 
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The encryption function ENC is then applied to x' . For decrypting y = ENC*{x) 
one first applies the decryption function of ENC to obtain x' which is then 
decoded into x by mapping a pair (0, 0) into 0 and either pair (0, 1) or (1, 0) into 
1. If x' contains a pair that equals (1, 1) the decoding outputs the 

invalidity sign _L. 

The attack when only encryption is used. For the sake of presentation 
let’s first assume that only ENC* is applied to the transmitted data (we will then 
treat the AtE case where a MAC is applied to the data before encryption). In 
this case when an attacker A sees a transmitted ciphertext y = ENC*{x) it can 
learn the first bit xi of x as follows. It intercepts y, flips (from 0 to 1 and from 
1 to 0) the first two bits (j/i, 2 / 2 ) of y, and sends the modified ciphertext y' to its 
destination. If A can obtain the information of whether the decryption output 
a valid or invalid plaintext then A learns the first bit of x. This is so since, as 
it can be easily seen, the modified y' is valid if and only if xi = 1. (Remember 
that we are using a stream cipher to encrypt x' .) Clearly, this breaks the secrecy 
of the channel (note that the described attack can be applied to any of the bits 
of the plaintext). One question that arises is whether it is realistic to assume 
that the attacker learns the validity or invalidity of the ciphertext. The answer 
is that this is so for many practical applications that will show an observable 
change of behavior if the ciphertext is invalid (in particular, many applications 
will return an error message in this case). 

To make the point even clearer consider a protocol that transmits passwords 
and uses ENC* to protect passwords over the network (this is, for example, one 
of the very common uses of SSL). The above attack if applied to one of the 
bits of the password (we assume that the attacker knows the placement of the 
password field in the transmitted data) will work as follows. If the attacked bit 
is I then the password authentication will succeed in spite of the change in the 
ciphertext. If it is 0 the password authentication will fail. In this case success or 
failure is reported back to the remote machine and then learned by the attacker. 
In applications where the same password is used multiple times (again, as in 
many applications protected by SSL) the attacker can learn the password bit- 
by-bit. The same can be applied to other sensitive information such as to credit 
card numbers where a mistake in this number will be usually reported back and 
the validity/invalidity information will be learned by A. 

The attack against the AtE{ENC* , MAC) scheme. Consider now the case 
of interest for us in which the encryption is applied not just to the data but also 
to a MAC function computed on this data. Does the above attack applies? The 
answer is YES. The MAC is applied to the data before encoding and encryption 
and therefore if the original bit is 1 the change in ciphertext will result in the 
same decrypted plaintext and then the MAC check will succeed. Similarly, if the 
original bit is 0 the decrypted plaintext will have a 1 instead and the MAC will 
fail. All the attacker needs now is the information of whether the MAC succeeded 
or not. Note that in a sense the MAC just makes things worse since regardless 
of the semantics of the application a failure of authentication is easier to learn 
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by the attacker: either via returned error messages, or by other effects on the 
application that can be observed by the attacker. 

Discussion: what have we learned? The example using ENC* is certainly 
sufficient to show that the method AtE can be insecure even if the encryption 
function is IND-CPA secure and the MAC unforgeable (note that this conclu- 
sion does not depend on any specific formalization of secure communications; 
any reasonable definition of security must label the above protocol as insecure) . 
Therefore, if one wants to claim the security of AtE{ENC, MAC) for particular 
functions ENC and MAC one needs to analyze the combination as a whole or 
use stronger or specific properties of the encryption function (see Section |3) • An 
interesting issue here is how plausible it is that people will ever use an encryp- 
tion scheme such as ENC*. We note that although this scheme does not appear 
to be the most natural encryption mechanism some (equally insecure) variants 
of it may arise in practice. First the application of an encoding to a plaintext 
before encryption is used many times for padding and other purposes and is a 
particularly common practice in public key encryption algorithms. Second, en- 
codings of this type can be motivated by stronger security requirements: e.g. to 
prevent an attacker from learning the exact length of transmitted messages or 
other traffic analysis information. In this case one could use an encoding similar 
to ENC* but with variable size codes. (Just to make the point: note that a good 
example of traffic analysis arises in the above examples where the attacker has a 
lot to learn from error-reporting messages; even in cases where this information 
is encrypted it can usually be learned through the analysis of packet lengths, 
etc.) Another setting where plaintext encoding is introduced in order to improve 
security is for combating timing and power analysis attacks. 

The bottom line is that it is highly desirable to have schemes that are robust 
to generic composition and are not vulnerable when seemingly innocuous changes 
are made to an algorithm (or when a new more secure or more efficient algorithm 
or mode is adopted)^. 



4.3 Encrypt-and- Authenticate Is Not Generically Secure 

The first observation to make regarding the encrypt-and-authenticate method is 
that under the common requirements from a MAC function this method cannot 
guarantee the protection of secrecy (even against a passive eavesdropper). This 
is so since a MAC can be secure against forgeries but still leak information on the 
plaintext. Thus, the really interesting question is whether the method becomes 
secure if we avoid this obvious weakness via the use of a “secrecy protecting” 
MAC such as one implemented via a pseudorandom function or when the MAC 
tag is encrypted (most, if not all, MAC functions used in practice are believed to 
protect secrecy). Unfortunately, however, the attack from the previous section 
applies here too, thus showing the (generic) insecurity of the EszA method even 
under the above stronger forms of MAC. (See also last remark in Section ^3) 



See the last remark in Section Ea for another example where seemingly harmless 
changes transform a secure protocol into an insecure one. 
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5 Authenticate-then-Encrypt with CBC and OTP Modes 

In Section lO we saw that authenticate-then-encrypt cannot guarantee secure 
channels under the sole assumption that the encryption function is IND-CPA, 
even if the MAC function is perfectly secure. In this section we prove that for 
two common modes of encryption, CBC (with a secure underlying block cipher) 
and OTP (stream ciphers that xor data with a (pseudo) random pad), the AtE 
mode does work for implementing secure channels. 

5.1 A Sufficient Condition for the Security of AtE 

We start by pointing out to the following Theorem that can be proven in the 
security model of @ (see Section El. 311 . 

Theorem 2. (derived from [^) Let ENC be an IND-CPA encryption function 
and MAC a MAC function. If the composed function AtE(ENC, MAC), consid- 
ered as an encryption scheme, is (loose) CUF-CPA, then AtE{ENC,MAC) im- 
plements secure channels. 

That is, under the assumptions on the ENC and MAC functions as stated in 
the Theorem, applying the function AtE{ENC, MAC) to information transmit- 
ted over adversarially-controlled links protects the secrecy and integrity of this 
information. More specifically, the Theorem implies the following definition of 
the function snd in the network channels model of 0 (see Section ITTHl . For each 
transmitted message m with unique message identifier m-id the function snd 
produces a pair (x,y) where x = m-id and y = ENC^^^m, MAC {m-id, m)), 
where the keys and are computationally independent keys derived from 
the session key. On an incoming message {x',y') the rev function verifies the 
uniqueness of message identifier x' , decrypts y' under key Ke, verifies the valid- 
ity of the decrypted MAC tag, and if all tests succeed the recipient accepts the 
decrypted message as valid. We note that if the message identifier is maintained 
in synchrony by sender and receiver (as in SSL) then there is no need to send 
its value over the network. On the other hand, if sent, the message identifier can 
be encrypted too. The above Theorem holds in either case. 

We stress that the Theorem holds for strict CUF-CPA as well as for the 
relaxed “loose” version (see Section 0. 

Based on this Theorem, and on the fact that OTP and CBC are IND-CPA 
0, we can prove the security of AtE under OTP and CBC by showing that 
in this case the resultant AtE scheme is CUF-CPA. The rest of this section is 
devoted to prove these facts. 

5.2 AtE with OTP 

The OTP scheme. Let F be a family of functions with domain {0, 1}^ and 
range {0,1}^ . We define the encryption scheme OTP{F) to work on messages 
of length at most I' as follows. A key in the encryption scheme is a description 
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of a member / of the family F . The OTP encryption under / of plaintext x 
is performed by choosing r {0, 1}^ and computing c = /(r) © x where /(r) 
is truncated to the length of x. The ciphertext is the pair (r,c). Decryption 
works in the obvious way. If F is the set of all functions with the above domain 
and range and / is chosen at random from this family we get perfect secrecy 
against chosen-plaintext attacks as long as there are no repetitions in the values 
r chosen by the encryptor (after encrypting q different messages a repetition 
happens with probability q^/2^); we denote this scheme by OTP$. If F is a 
family of pseudorandom functions then the same security is achieved but in a 
computational sense, i.e., up to the “indistinguishability distance” between the 
pseudorandom family and a truly random function. A formal and exact-security 
treatment of this mode of encryption can be found in 

The AtE{OTP$, MAC) composition. Let MAC be a MAC family with n-bit 
outputs, and k a key to a member of that family. Let / be a random function 
with domain and range as defined above. The AtE{OTP$, MAC) function with 
/ and k acts as follows: (i) it receives as input a message x of length at most 
i' — n, (ii) computes t = MACk{x), (iii) appends t to x, (iv) outputs the OTP 
encryption under / of the concatenated message (x,t). 

The following theorem establishes the CUF-CPA security of 
AtE{OTP$, MAC) as a function of the security £m(‘, u •) of MAC. 

Theorem 3. If MAC is a MAC family that resists one-query attacks then 
AtE(OTP$, MAC) is CUF-CPA (and then by Theorem it implements secure 
channels). More precisely, any ciphertext forger F against AtE{OTP%, MAC) that 
runs time T has success probability Eu of at most q^ (2^ + £m{^,P,T'), where £ 
is a parameter of OTP$, q is the number of queries T makes during the attack, 
p is an upper bound on the length of each such query and on the length of the 
output forgery, and T' = T + cqp for some constant c. 

For a proof of the Theorem see m- 

Using standard techniques one can show that the theorem holds also for 
a OTP scheme realized via a family of pseudorandom functions if we add to 
the above probability bound the distinguishability distance between the pseu- 
dorandom family and a truly random function. Also, the q^ j 2^ component can 
be eliminated if one uses non-repeating nonces instead of random r’s (such as 
in counter mode or via a stateful pseudorandom generator used to generate a 
pseudorandom pad). 

Remark (Tightness: one-query resistance is necessary). Here is an ex- 
ample of a MAC that does not resist one-queries and with which valid cipher- 
text can be forged against AtE(OTP$, MAC). Assume MAC allows for finding 
two same-length messages with the same MAC tag. (For example, MAC first ze- 
ros the last bit of the message and then applies a secure MAC function on the 
resultant message. Thus, MAC resists zero-queries but fails to one-queries: ask 
for a MAC on a message, then forge for the message with last bit flipped.) The 
strategy of the ciphertext forger against AtE(OTP$, MAC) is to find such pair 
of messages xi,X 2 - Then, it queries the first one and gets the ciphertext (r, c). 
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Finally, it outputs the forgery (r, c') where c' is obtained from c by xor-ing X 2 
to the first \x 2 \ bits of c. It is easy to see that (r, c') decrypts to {x 2 , MAC{x 2 ))- 

Remark {Multi-valued MAC). In Section IQ] we strengthened the regular 
security definition of a MAC function in the case that the function allows for 
different valid authentication tags for the same message. This extended defini- 
ton is used (explicitly) in the proof of Theorem 01 and is essential for ensuring 
the CUF-CPA property of AtE(OTP$ , MAC) . To see this, let MAC be a secure 
single-valued MAC function and define MACf to be the same as MAC except 
that an additional arbitrary bit is appended to each authentication tag. The 
verification procedure will just ignore this bit. It is easy to see that in this case 
AtE{OTP$, MAC) will not be CUF-CPA. However, if one examines the proof of 
Theorem 01 it can be seen that AtE{OTP$, MAC) achieves loose CUF-CPA (see 
Section OD and then it is sufficient for implementing secure channels (which is 
what we care about). So can we dispense of the strengthened notion of MAC 
when multi-valued MACs are used? The answer is no. It is possible to build a 
multi-valued function MAC that satisfies the regular MAC definition, but not 
the strengthened version, for which AtE{OTP$, MAC) is insecure for building 
secure channels (see ED). 

Remark {Sufficiency of redundancy functions). In PJ An and Bellare 
investigate the question of whether simple redundancy functions (such as com- 
binatorial hash functions) applied to a plaintext before encryption suffice for 
providing ciphertext unforgeability. In the case of AtE with OTP it seems natu- 
ral to assume that a simple combinatorial property of the redundancy function 
such as AXU [2I)I26[ should suffice. (In particular, this seems so since such a 
property is sufficient m if one only considers plaintext integrity where only the 
output of the redundancy function is encrypted under an OTP scheme.) How- 
ever, this turns out not to be true in the case of ciphertext unforgeability. We 
can show an example of an ,fi-AXU (and also f -balanced EDI) MAC family for 
which AtE{OTP$, MAC) is not CUF-CPA. It seems plausible, however, that a 
more involved combinatorial property (involving the length of messages) of the 
MAC function could suffice to guarantee ciphertext unforgeability in the case 
of AtE with OTP. Actually, it is interesting to note that if the authentication 
tag is positioned before the message, instead of at the end as defined above, the 
AXU property is indeed sufficient (assuming fixed-length and single-valued valid 
authentication tags). 

Remark {Beware of “slight changes”). To highlight the “fragility” of the 
result in Theorem 0 we note that the proof of this theorem uses in an essen- 
tial way the fact that the encryption is applied as a whole on the concatenated 
message and MAC tag. If we were to encrypt these two values separately (i.e., 
using separate IVs for the encryption of the message and of the MAC) even 
under a truly random function we would not get CUF or CCA security. More 
significantly, such separate encryption results in insecure channels. Indeed, un- 
der this method an active attacker can get to learn whether two transmitted 
messages, possibly with different message identifiers, are the same, something 
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clearly unwanted in a secure protocol. (This weakness allows for actual attacks 
on practical applications, in particular several forms of “dictionary attacks’ll 
In addition, this observation shows another weakness of the encrypt-and- 
authenticate method ISection 14.31 since it exhibits the insecurity of this method 
even under the use of a standard stream cipher for encryption and even when 
the MAC tag is encrypted. 

5.3 AtE with CBC 

The CBC scheme. Let £ be a positive integer and F be a family of permuta- 
tions over {0, 1}^. We define the encryption scheme CBC(F) to work on messages 
of length a multiple of A key in the encryption scheme is a description of a 
member / of the family F. The CBC encryption under / of plaintext x is per- 
formed by partitioning x into blocks x[l], . . . , x[p] of length £ each, then choosing 
r Gji {0, 1}^ (called the IV) and computing the ciphertext c = c[0], c[I], . . . , c[p] 
as c[0] = r, c[i] = f{c[i — I] 0 x[i]),i = 1, . . . ,p. Decryption works in the obvious 
inverse way. If F is the set of all permutations over {0, 1}'^ and / is chosen at 
random from F then we denote the scheme by CBC$. A formal and exact-security 
treatment of this mode of encryption can be found in |2j who in particular prove 
it to be IND-CPA also in the case where F is a pseudorandom family (in this 
case the security depends on the “indistinguishability distance” between the 
pseudorandom family and a truly random function) . 

The AtE(CBC$, MAC) composition. Let MAC be a MAC family with £-bit 
outputs, and k a key to a member of that family. Let / be a random permutation 
over {0,1}^. The AtE{CBC$, MAC) function with / and k acts as follows: (i) it 
receives as input a message x of length multiple of £, (ii) computes t = MACk(x), 
(iii) appends t to x, (iv) outputs the CBC encryption under / of the concatenated 
message (x, t) (note that the resultant output is two blocks longer than x due 
to the added block t and the prepended IV r). 

The following theorem establishes the CUF-CPA security of AtE{CBC$^ 
MAC) as a function of the security Em{', ■,') of MAC. 

Theorem 4. If MAC is a secure MAC family then AtE{CBC$ , MAC) is CUF- 
CPA (and then by Theorem\^it implements secure channels). More precisely, 
any ciphertext forger T against AtE(CBC$, MAC) that runs time T has success 
probability Ejj of at most 

+ 2gfM(0, 0, T') + Em{Up^, T') + 2£m(9*, ?V, T') 

where q is the number of plaintexts queried by T , p is an upper bound on the 
number of blocks in each of these queries, p* is the length in blocks of the forgery 
y* output by T , q* = min{( 7 ,p*}, Q is the total number of blocks in the responses 
to T’s queries plus p* , and T' = T cQ for constant c. 

For a proof of the Theorem see m- 

® One such example would be finding passwords sent in the telnet protocol even 
if the protocol is run over a secure channel protected as above; this is particularly 
facilitated by the fact that in this case individual password characters are transmitted 
separately, and thus a dictionary attack can be mounted on individual characters. 
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Using standard techniques one can show that the theorem holds also for a 
CBC scheme realized via a family of pseudorandom permutations if we add to 
the above probability bound the distinguishability distance between the pseudo- 
random family and a truly random function. However, we note, that in this case 
the distinguisher not only gets access to an oracle that computes the function 
but also to an oracle that computes the inverse function (that is, we need to 
assume the family of permutations to be “super pseudorandom” 1^). 

Remark {Tightness: the necessity of the bound Sm{q*))- The most “ex- 
pensive” term in MAC security in the expression of the theorem is the value 
£m{q*) since other terms only require protection against one-query or zero- 
query. Since an attacker T does not get to see any of the MAC values one could 
wonder why such a strong security from the MAC is required. We show here 
that, in contrast to the AtE{OTP$, MAC) case, this requirement is unavoidable. 
Specifically, we present for any i = 0, 1,2, . . ., an example of a MAC function 
MAC that is secure against i queries but yields an insecure AtE(CBC$, MAC) 
scheme with g = i + 1 (and p* = 2i + 4). We describe the example for z = 1, the 
extension to other values is straightforward. 

Let {gk}k be a family of pseudorandom functions from ({0, 1}^)* to {0, 1}^/^. 
Define a MAC family MAC' on the same domain as {gk}k, and with Abit outputs 
as follows: MAC'f^^^ ~ { 9 ki{x) , gk^{gki{x))) . Define a second MAC family 

MAC that uses the same set of keys as MAC' and such that on key (fci, fc 2 ): 

1. if the input x contains two £-bit blocks hi and bj, i < j, such that bi yf bj 
and both have the property that applying gk^ to the first half of the block 
yields the second half of the block then output hi as the MAC value for x. 

2. otherwise, output 

It is easy to see that the so defined MAC has security of roughly 2^/^ against single 
queries (but is totally insecure after two queries since the output of MAC provides 
the block format that makes the authentication tag “trivial”). We show that 
it yields a AtE{CBC$, MAC) scheme whose ciphertexts are forgeable after two 
queries even if the encryption permutation / is purely random. The ciphertext 
forger E against AtE{CBC$, MAC) proceeds as follows: 

1. Choose two arbitrary one-block long plaintexts xi,X 2 as the two queries. 

2. Let the responses yi,y 2 be the triples: (ri,ci = /(ri © xi),mi = /(ci © 
MAC(xi))) and (r 2 ,C 2 = f{r 2 ©X 2 ),m 2 = /(c 2 ®MAC{x 2 )))- 

3. Output forgery y* = (ci, mi, C 2 , TO 2 , Ci, toi). 

A simple examination shows that y* is a valid ciphertext. 

One consequence of the above lower bound on the required security of MAC 
is that, somewhat surprisingly, the MAC function cannot be replaced by a sim- 
ple combinatorial hash function, such as one enjoying AXU (see remark on 
“redundancy functions” in Section rT2ll . Indeed, had AXU been sufficient then 
one-query resistant MACs would suffice too (since one-query resistance implies 
AXU). We note that a modified CBC-like mode for which AXU is sufficient is 
presented in Q. 

In contrast to the above lower bound, we do not know if the term qSM{0) in 
the bound of the theorem is necessary or not; we do not have so far an example 
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that shows this term to be unavoidable. Thus, it may well be the case that a 
more careful analysis could lower the factor q (actually, even with the current 
analysis it is possible to replace the factor q with q* by a slightly more involved 
argument). 

Remark {Non- adaptive security of MAC suffices). It is interesting to 
note that the requirement from the security of the MAC in Theorem0is for non- 
adaptive queries only. This can be seen by inspecting the proof of the theorem, 
where the MAC forger Q that we build makes non-adaptive queries only. 
Remark {Beware of “slight changes”). Similarly to the case of AtE{OTP$, 
MAC) the proof of Theorem^Juses in an essential way the fact that the encryption 
is done as a whole on the concatenated message and MAC. It is easy to build a 
ciphertext forgery attack in case the encryption of the plaintext and of the MAC 
tag are done separately (i.e. with independently chosen IVs). 
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Abstract. We propose the first forward-secure signature scheme for 
which both signing and verifying are as efficient as for one of the most 
efficient ordinary signature schemes (Guillou-Quisquater |Ctj8S| ), each 
requiring just two modular exponentiations with a short exponent. All 
previously proposed forward-secure signature schemes took significantly 
longer to sign and verify than ordinary signature schemes. 

Our scheme requires only fractional increases to the sizes of keys and 
signatures, and no additional public storage. Like the underlying 
scheme, our scheme is provably secure in the random oracle model. 



1 Introduction 

The Purpose of Forward Security. Ordinary digital signatures have a 
fundamental limitation: if the secret key of a signer is compromised, all the 
signatures (past and future) of that signer become worthless. This limitation 
undermines, in particular, the non-repudiation property that digital signatures 
are often intended to provide. Indeed, one of the easiest ways for Alice to re- 
pudiate her signatures is to post her secret key anonymously somewhere on the 
Internet and claim to be a victim of a computer break-in. In principle, various 
revocation techniques can be used to prevent users from accepting signatures 
with compromised keys. However, even with these techniques in place, the users 
who had accepted signatures before the keys were compromised are now left at 
the mercy of the signer, who could (and, if honest, would) re-issue the signatures 
with new keys. 

Forward-secure signature schemes, first proposed by Anderson in |And97| 
and formalized by Bellare and Miner in jBM99] . are intended to address this 
limitation. Namely, the goal of a forward-secure signature scheme is to preserve 
the validity of past signatures even if the current secret key has been compro- 
mised. This is accomplished by dividing the total time that given public key is 

J. Kilian (Ed.): CRYPTO 2001, LNCS 2139, pp. 332- TCT 2001. 
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valid into T time periods, and using a different secret key in each time period 
(while the public key remains fixed). Each subsequent secret key is computed 
from the current secret key via a key update algorithm. The time period during 
which a message is signed becomes part of the signature. Forward security prop- 
erty means that even if the current secret key is compromised, a forger cannot 
forge signatures for past time periods. 

Prior Schemes. Prior forward-secure signature schemes can be divided into 
two categories: those that use arbitrary signature schemes in a black-box manner, 
and those that modify specific signature scheme. 

In the first category, the schemes use some method in which a master public 
key is used to certify (perhaps via a chain of certificates) the current public key 
for a particular time period. Usually, these schemes require increases in storage 
space by noticeable factors in order to maintain the current (public) certificates 
and the (secret) keys for issuing future certificates. They also require longer 
verification times than ordinary signatures do, because the verifier needs to verify 
the entire certificate chain in addition to verifying the actual signature on the 
message. There is, in fact, a trade-off between storage space and verification 
time. The two best such schemes are the tree-based scheme of Bellare and Miner 
[IRVfflDpI (requiring storage of about log 2 T secret keys and non-secret certificates, 
and verification of about log 2 T ordinary signatures) and the scheme of Krawczyk 
I IKraOOj (requiring storage of T non-secret certificates, and verification of only 2 
ordinary signatures). 

In the second category, there have been two schemes proposed so far (both 
in the random oracle model) : the scheme of Bellare and Miner [tilVIHH) based on 
the Fiat-Shamir scheme [Essg, and the scheme of Abdalla and Reyzin [AHOO] 
based the 2*-th root scheme [K)()88l()S9niMlEn3 |. While needing less space than 
the schemes in the first category, both |BM99j and [AB.flflj require signing and 
verification times that are linear in T. 

Our Results. We propose a scheme in the second category, based on one of the 
most efficient ordinary signature schemes, due to Guillou-Quisquater |OCj88|| . It 
uses just two modular exponentiations with short exponents for both signing 
and verifying. 

Ours is the first forward-secure scheme where both signing and verifying are 
as efficient as the underlying ordinary signature scheme. Moreover, in our scheme 
the space requirements for keys and signatures are nearly the same as those in 
the underlying signature scheme (for realistic parameter values, less than 50% 
more). 

The price of such efficient signing and verifying and storage is in the running 
times of our key generation and update routines: both are linear in T (however, 
so is the key generation and non-secret storage in the scheme of [IKra,n0j : as well 
as the key generation, signing and verifying in the Fiat-Shamir-based scheme 
of [BM99j and the scheme of [lABOOj l. However, key generation and update are 

^ Some improvements to tree-based scheme of |II->M99| (not affecting this discussion) 
have been proposed in HEODI and im. 
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(presumably) performed much less frequently than signing and verifying, and 
can be performed off-line as long in advance as necessary. Moreover, we show 
that, if we are willing to tolerate secret storage of 1 -I- log 2 T values, we can 
reduce the running time of the key update algorithm to be logarithmic in T 
without affecting the other components (this, rather unexpectedly, involves an 
interesting application of pebbling). For realistic parameter values, the total 
storage requirements, even with these additional secrets, are still less than in all 
prior schemes; the only exception is the |A K.OOj scheme, which has very inefficient 
signing and verifying. 

Our scheme is provably secure in the random oracle model based on a variant 
of the strong RSA assumption (precisely defined in Section 12 . 211 . 



2 Background 

2.1 Definitions 

This section closely follows the first formal definition of forward-secure signatures 
proposed by Bellare and Miner IRMQQIJ . Their definition, in turn, is based on 
the Goldwasser, Micali and Rivest’s jOMR.SSj definition of (ordinary) digital 
signatures secure against adaptive chosen message attacks. 

Key Evolution. The approach taken by forward-secure schemes is to change 
the secret key periodically (and require the owner to properly destroy the old 
secret kejfl). Thus we consider time to be divided into time periods; at the end 
of each time period, a new secret key is produced and the old one is destroyed. 
The number of the time period when a signature was generated is part of the 
signature and is input to the verification algorithm; signatures with incorrect 
time periods should not verify. 

Of course, while modifying the secret key, one would like to keep the public 
key fixed. This can, for example, be achieved by use of a “master” public key, 
which is somehow used to certify a temporary public key for the current time 
period (note however, than one needs to be careful not to keep around the 
corresponding “master” secret key — its presence would defeat the purpose of 
forward security) . The first simple incarnation of this approach was proposed 
by |A,a.d,a2i; a very elegant tree-based solution was proposed by |RM99| ; another 
approach, based on generating all of the certificates in advance, was put forward 
by jKra.OOj . However, in general, one can conceive of schemes where the public 

^ Obviously, if the key owner does not properly destroy her old keys, an attacker 
can obtain them and thus forge the “old” signatures. Moreover, if the key owner 
does not detect that the current key was leaked, the attacker may hold on to the 
compromised key for a few time periods, and forge “old” signatures then. Indeed, 
proper deletion of the old keys and proper intrusion detection are non-trivial tasks. 
However, it is reasonable to insist that the key owner perform such deletion and 
intrusion detection — certainly more reasonable than insisting that she guarantee the 
secrecy of her active keys through resistance to any intrusion attack. 
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key stays fixed but no such certificates of per-period public keys are present (and, 
indeed, such schemes are proposed in jfjM99IAhif)0j . as well as in this paper). 

The notion of a key-evolving signature scheme captures, in full generality, 
the idea of a scheme with a fixed public key and a varying secret key. It is, es- 
sentially, a regular signature scheme with the additions of time periods and the 
key update algorithm. Note that this notion is purely functional: security is ad- 
dressed separately, in the definition of forward security (which is the appropriate 
security notion for key-evolving signature schemes). 

Thus, a key-evolving digital signature scheme is a quadruple of algorithms, 
FSIG = (FSIG.key, FSIG.sign, FSIG.ver, FSIG. update), where: 

— FSIG.key, the key generation algorithm, is a probabilistic algorithm which 
takes as input a security parameter fc S N (given in unary as 1^) and the 
total number of periods T and returns a pair {SK i, PK), the initial secret 
key and the public key; 

— FSIG.sign, the (possibly probabilistic) signing algorithm, takes as input the 
secret key SKj= (Sj,j,T) for the time period j <T and the message M to 
be signed and returns the signature (_), sign) of M for time period j; 

— FSIG.ver, the (deterministic) verification algorithm, takes as input the public 
key PK, a message M, and a candidate signature {j,sign), and returns 1 
if (j, sign) is a valid signature of M or 0, otherwise. It is required that 
FSIG. ver(P7G, M, FSIG. sign(S'iGj, M)) = I for every message M and time 
period j. 

— FSIG. update, the (possibly probabilistic) secret key update algorithm, takes 
as input the secret key SK j for the current period j < T and returns the 
new secret key SK j+i for the next period j + 1. 

We adopt the convention that SKt+i is the empty string and FSIG.update(S'iGT) 
returns SKt+i- 

When we work in the random oracle model, all the above-mentioned algo- 
rithms would have an additional security parameter, 1*, and oracle access to a 
public hash function H : {0,1}* — >■ {0,1}*, which is assumed to be random in 
the security analysis. 

Forward Security. Forward security captures the notion that it should be 
computationally infeasible for any adversary to forge a signature for any past 
time period even in the event of exposure of the current secret key. Of course, 
since the update algorithm is public, nothing can be done with respect to future 
secret keys, except for revoking the public key (thus invalidating all signatures 
for the time period of the break-in and thereafter). To define forward security 
formally, the notion of a secure digital signature of |OMF{,88IJ is extended in 
[IRM99| to take into account the ability of the adversary to obtain a key by 
means of a break-in. 

Intuitively, in this new model, the forger first conducts an adaptive chosen 
message attack (cma), requesting signatures on messages of its choice for as 
many time periods as he desires. Whenever he chooses, he “breaks in”: requests 
the secret key SKi, for the current time period b and then outputs an (alleged) 



336 G. Itkis and L. Reyzin 



signature on a message M of his choice for a time period j < b. The forger is 
considered to be successful if the signature is valid and the pair (M,j) was not 
queried during cma. 

Formally, let the forger F = (F.cma, F. forge). For a key pair {PK , SKq) A 
FSIG.key(A:, . . . , T), F.cma, given PK and T, outputs (CM,b), where b is the 
break-in time period and CM is a set of adaptively chosen message-period 
pairs (the set of signatures sign{CM) of the current set CM is available to 
F at all times, including during the construction of CMJ3- Finally, F.forge out- 
puts {M,j,sig) t— F.forge(CM, sign{CM), SKb). We say that F is successful 
if (M,j) ^ CM,j < b, and FS\G. \/er pk {M, {j, sig)) = 1. (Note: formally, the 
components of F can communicate all the necessary information, including T 
and b, via CM.) 

Define Succ^'^'*‘®(FSIG[fc, T], F) to be the probability (over coin tosses of F 
and FSIG) that F is successful. Let the function InSec^'^®‘®(FSIG[/c, T],t, <7sig) (the 
insecurity function) be the maximum, over all algorithms F that are restricted 
to running time t and q^ig signature queries, of Succ^'^®'®(FSIG[fc, T], F). 

The insecurity function above follows the “concrete security” paradigm and 
gives us a measure of how secure or insecure the scheme really is. Therefore, we 
want its value to be as small as possible. Our goal in a security proof will be to 
find an upper bound for it. 

The above definition can be translated to the random oracle model in a stan- 
dard way jBR93j : by introducing an additional security parameter 1*, allowing 
all algorithms the access to the random oracle FI : {0, 1}* — >■ {0, 1}^, and consid- 
ering qhash, the number of queries to the random oracle, as one more parameter 
for the forger. 

2.2 Assumption 

We use a variant of the strong RSA assumption (to the best of our knowledge, 
first introduced independently in |BF97| and EOSZI), which postulates that it is 
to compute any root of a fixed value modulo a composite integer. More precisely, 
the strong RSA assumption states that it is intractable, given n that is a product 
of two primes and a value a in Z*, to find P € Z* and r > 1 such that /3” = a. 

However, we modify the assumption in two ways. First, we restrict ourselves 
to the moduli that are products of so-called “safe” primes (a safe prime is one 
of the form 2q + 1, where q itself is a prime). Note that, assuming safe primes 

® Note that the mm definition, which captures what F can do in practice, allows 
the messages-period pairs to be added to CM only in the order of increasing time 
periods and without knowledge of any secret keys. However, allowing the forger to 
construct CM in arbitrary order, and even to obtain SKb in the middle of the CM 
construction (so that some messages be constructed by the forger with the knowledge 
of SKb) would not affect our (and their) results. Similarly, the forger can be allowed 
to obtain more than one secret key — we only care about the earliest period b for 
which the secret key is given to the forger. So, the forger may adaptively select 
some messages which are signed for him, then request some period’s secret key; then 
adaptively select more messages and again request a key, etc. 
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are frequent, this restriction does not strengthen the assumption. Second, we 
upperbound the permissible values or r by 2 ^“'"^, where I is a security parameter 
for our scheme (in an implementation, I will be significantly shorter than the 
length k of the modulus n). 

More formally, let A be an algorithm. Consider the following experiment. 

Experiment Break-Strong-RSA(A:, I, A) 

Randomly choose two primes q\ and 52 of length \k/2\ — 1 each 
such that 2 qi + 1 and 2^2 + 1 are both prime. 

Pi ^ 2 qi -I- 1 ; P 2 f- 2(?2 + 1 ; n f- pip 2 
Randomly choose a G Z*. 

(P,r) G- A{n,a) 

If 1 < r < 2’-+^ and /3^ = a (mod n) then return 1 else return 0 

Let Succ(A, fc, Z) = Pr[Break— Strong— RSA{k,k A) = IJ.Let lnSec^^^^{k,l,t) 
be the maximum of Succ(A, k, 1) over all the adversaries A who run in time 
at most t. Our assumption is that InSec®^®^(/c, /, f), for t polynomial in k, is 
negligible in k. The smaller the value of Z, of course, the weaker the assumption. 

In fact, for a sufficiently small I, our assumption follows from a variant of the 
fixed-exponent RSA assumption. Namely, assume that there exists a constant e 
such that, for every r, the probability of computing, in time t, an r-th root of 
a random integer modulo a k-hit product of two safe primes, is at most 2 “^ . 
Then, InSec®^®^(/c, Z, t) < 2 *+^“^ , which is negligible if I = o{k'^). 

2.3 Mathematical Tools 

The following two simple statements will be helpful later. They were first pointed 
out by Shamir jSha, 83 j in the context of generation of pseudorandom sequences 
based on the RSA function. 

Proposition 1. Let G be a group. Suppose ei, 62 G Z are sueh that gcd(ei, 62) = 
1 . Given a,b G G sueh that and = 6®^, one ean eompute c sueh that = a 
in 0 (log(ei -I- 62)) group and arithmetie operations. 

Proof. Using Euclid’s extended gcd algorithm, within 0 (log(ei -1-62)) arithmetic 
operations compute /i, /2, such that Ci/i -I- 62/2 = 1 - Compute c = with 

0 (log(/i -I- /2)) = 0 (log(ei -|- 62)) group operations. Then = 

a^2f2a^ih = a. □ 



Lemma 1. Let G be a finite group. Suppose ei G Z and 62 G Z are such that 
gcd(ei, 62) = g and gcd{g, |G|) = 1 . Given a,b G G, sueh that = 6®^, one ean 
eompute c such that = a in 0(log group and arithmetic operations. 

Proof Since gcd(g, |G|) = 1 , (z® = 1 ) => (z = 1 ) for any z G G. Let e'l = 
Ci/ 5 ; 62 = 62/5- Then (a®i/6®2)s = so a®i = 6®=, so we can apply and 
Proposition Q] to get c such that = a. □ 
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2.4 The Guillou-Quisquater Signature Scheme 

In IGQ88I , Guillou and Quisquater propose the following three-round identifi- 
cation scheme, summarized in Figure E Let k and I be two security parame- 
ters. The prover’s secret key consists of a fc-bit modulus n (a product of two 
random primes pi,p 2 ), an (I + l)-bit exponent e that is relatively prime to 
4>{n) = {pi — l)(p 2 — 1), and a random s € Z*. The public key consists of n, e 
and V where v = 1/s® (mod n) . 

In the first round, the prover generates a random r € Z*, computes the 
commitment y = (mod n) and sends y to the the verifier. In the second 
round, the verifier sends a random Lbit challenge a to the prover. In the third 
round, the prover computes and sends to the verifier z = rs'^. To check, the 
verifier computes y' = and checks if y = y' (and y ^ 0 (mod n)). 

The scheme’s security is based on the assumption that computing roots mod- 
ulo composite n is infeasible without knowledge of its factors (the precise assump- 
tion varies depending on how e is chosen), and can be proven using Lemma Q 
Informally, if the prover can answer two different challenges, a and r, for the same 
y, then it can provide Za and Zr such that z^v'^ = z%v'^ . Hence, v°~'^ = {z^IztY. 
Note that e is / -I- 1-bits long, hence e > |(t — r|, hence g = gcd(a — r, e) < e, so 
r = e/y > 1. By Lemma^ knowing — z„j Z t and e allows one to efficiently 
compute the r-th root of v (to apply the lemma, we need to have g relatively 
prime with the order />(n) of the multiplicative group .Z*, which is the case by 
construction, because e is picked to be relatively prime with 4>{n)). Thus, the 
prover must know at least some root of v (in fact, if e is picked to be prime, then 
the prover must know precisely the e-th root of v, because y = 1 and r = e). 
Note that it is crucial to the proof that e > 2* and e is relatively prime with 
(j){n). 

The standard transformation of |KS8tij can be applied to this identification 
scheme to come up with the GQ signature scheme, presented in FigureGl Essen- 
tially, the interactive verifier’s Lbit challenge a is now computed using a random 
oracle (hash function) H : {0, 1}* — >■ {0, 1}^ applied to the message M and the 
commitment y. 

3 Our Forward-Secure Scheme 

3.1 Main Ideas for Forward Security 

The main idea for our forward-secure scheme is to combine the GQ scheme with 
Shamir’s observation (Lemma Namely, let ei, C 2 , . . . , bt be distinct integers, 
all greater than 2^, all pairwise relatively prime and relatively prime with 4>(n). 
Let si, S 2 , . . . , St be such that s®’ = l/v (mod n) for 1 < j < T. In time period 
i, the signer will simply use the GQ scheme with the secret key (n,Si,ei) and 
the verifier will use the GQ scheme with the public key (n, v, Ci). Intuitively, this 
will be forward-secure because of the relative primality of the e/s: if the forger 
breaks-in during time period b and learns the e;,-th, Ch+i-th, . . . , er-th roots of 
V, this will not help it compute ej-th root of v for j < b (nor, more generally, 
the r-th root of v, where r|ej). 
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algorithm GQ.key(fc,/) 


algorithm GQ.sign(M, (n, s, e)) 


Generate random [fc/2]-bit 


yS ' 7 * 

T 4— Zji 


primes pi,p 2 


y <— K mod n 


n ■(- pip 2 


o^H{y,M) 


s^Z* 


z •<— rs’^ mod n 


e A [2', 2*+^) 

s.t. gcd(e, 4>{n)) = 1 


return (2, a) 


V <r- 1/s® mod n 


algorithm GQ.ver(M, (n, u, e), ( 2 , ct)) 


SK <r- (n, s, e) 


if 2 = 0 (mod n) then return 0 


PK •<— (n, V, e) 


y' <— 2®!!“^ mod n 


return {SK , PK) 


if CT = Pl{y' , M) then return 1 
else return 0 



Fig. 1. The GQ Signature Scheme 



This idea is quite simple. However, we still need to address the following two 
issues: (i) how the signer computes the Si’s, and (ii) how both the signer and the 
verifier obtain the Ci’s. 

Computing s^’s. Notice that if the signer were required to store all the s^’s, this 
scheme would require secret storage that is linear in T. However, this problem 
can be easily resolved. Let fi = a - e^+i • . . . • ey. Let ti be such that = l/v 
(mod n). During the j-th time period, the signer stores Sj and tj+i. At update 
time, the signer computes Sj+i = mod n and tj+2 = mod n. This 
allows secret storage that is independent of T\ only two values modulo n are 
stored at any time (the fi and values are not stored — see below). It does, 
however, require computation linear in T at each update, because of the high 
cost of computing Sj+i from tj+i. 

We can reduce the computation at each update to be only logarithmic in T 
by properly utilizing precomputed powers of tj+\. This will require us, however, 
to store 1 -|- log 2 T secrets instead of just two. This optimization concerns only 
the efficiency of the update algorithm and affects neither the other components 
of the scheme nor the proof of security, and is therefore presented separately in 
Section I4.2L 

Obtaining e^’s. In order for the scheme to be secure, the e^’s need to be 
relatively prime with each othei0 and with and greater than 2*. The signer 
can therefore generate the e/s simply as distinct {I + l)-bit primes. Of course. 

In fact, this requirement can be relaxed. We can allow the eds not to be pairwise 
relatively prime, as long as we redefine fi as fi — lcm(ei, ei+i, . . . , ct), and require 
that 6i be relatively prime with (f)(n) and a/ gcd{ei, fi+i) > 2*. However, we see no 
advantages in allowing this more general case; the disadvantage is that the eds will 
have to be longer to satisfy the last requirement, and thus the scheme will be less 
efficient. 
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to store all the e^’s would require linear in T (albeit public) storage. However, 
the signer need only store Cj for the current time period j, and generate anew 
the other e^’s for i > j during key update. This works as long as the signer uses 
a deterministic algorithm for generating primes: either pseudorandom search or 
sequential search from fixed starting points. The fact that e^’s are not stored but 
rather recomputed each time slows down the update algorithm only (and, as we 
show in Section ro not by much). Note that the way we currently described 
the update algorithm, for the update at time period j the signer will need to 
compute 6j+i, . . . ,bt- With the optimization of Section 14.21 however, only at 
most log 2 T of the e^’s will need to be computed at each update. 

We have not yet addressed the issue of how the verifier gets the Cj’s. Of 
course, it could simply generate them the same way that the signer does during 
each key update. However, this will slow down verification, which is undesirable. 
The solution is perhaps surprising: the verifier need not know the “true” e^’s 
at all! The value of ej can be simply included by the signer in every signature 
for time period j. Of course, a forger is under no obligation to include the true 
6j. Therefore, to avoid ambiguity, we will denote by e the value included in a 
signature. It may or may not actually equal ej. 

For the security of the scheme, we require that e satisfy the following require- 
ments: 

1. e should be included as an argument to the hash function H, so that the 
forger cannot decide on e after seeing the challenge cr; 

2. e should be greater than 2\ for the same reasons as in the GQ scheme; 

3. e should be relatively prime with 4>{n), for the same reasons as in the GQ 
scheme; and 

4. e should be relatively prime with the Cb, ■ ■ ■ ,€t (where b is the break-in time 
period), so that the knowledge of the root of v of degree ej, • ef,+i • . . . • ct 
does not help the forger compute any root of v of degree r|e. 

The first two conditions can be easily enforced by the verifier. The third condition 
can be enforced by having n be a product of two “safe” primes (primes Pi,P 2 that 
are of the form = 2qi -\- 1, where q is prime). Then the verifier simply needs 
to check that e is odd (then it must be relatively prime with 4'{n) — otherwise, 
it would be divisible by gi, q 2 or qiq 2 , which would imply that the forger could 
factor n). 

It is the fourth condition that presents difficulties. How can the verifier check 
the that e is relatively prime with eb, ■ ■ ■ ,bt without knowing b and the actual 
values of Cb, . . . , ey? We accomplish this by splitting the entire interval between 
2* and 2*+^ into T consecutive buckets of size 2’‘/T each, and having each 
be a prime from the Tth bucket. Then the verifier knows that the actual values 
Cj+i, . . . ,er are all at least 2^(1 -I- j/T) and prime. Thus, as long as e in the 
signature for time period j is less than 2\l+j /T), it is guaranteed to be relatively 
prime with Cj+i, . . . , Ct, and hence with Cb, ■ ■ ■ ,ct (because b > j). 

Thus, to enforce the above four conditions, the verifier needs to check is that 
e is odd, is between 2^ and 2\l+ j/T) and is included in the hash computation. 
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3.2 The Scheme 

Our scheme (denoted IR) based on the above ideas is presented in Figure El As 
in the GQ scheme, let H : {0, 1}* — >■ {0, 1}^ be a hash function. 



3.3 Efficiency 

Signing and Verifying. The distinghuishing feature of our scheme is the 
efficiency of the signing and verification algorithms. Both are the same as the 
already efficient ordinary GQ scheme (verifying has the additional, negligible 
component of testing whether e is in the right range and odd). Namely, they 
each take two modular exponentiations, one modular multiplication and an ap- 
plication of H, for a total time of 0{k^l) plus the time required to evaluate H. 
(Note that, just like the GQ scheme, one of the two modular exponentiations for 
signing can be done off-line, before the message is known; also, one of the two 
modular exponentiations for verifying is of a fixed base v, and can benefit from 
precomputation.) 

Key Generation. We need to make strong assumptions on the distributions 
of primes in order to estimate efficiency of key generation. First, we assume that 
at least one in 0{k) |"fc/2]-bit numbers is a prime, and that at least one in 0{k) 
of those is of the form 2q + 1, where q is prime. Then, generating n takes 0{k^) 
primality tests. Each primality test can be done in 0{k^) bit operations IIBS9(jl . 
Thus, the modulus n is generated in 0{k^) bit operations (a factor k slower than 
an RSA modulus, because of the need for safe primes). Similarly, we will assume 
that at least one in 0{l) integers in each bucket [2*(1 + {i — 1)/T),2*(1 -|- i/T)) 
is a prime, so generating each takes 0(1'^) bit operations. 

In addition to generating n and the e^’s, key generation needs to compute 
the product of the e^’s modulo 4>{n), which takes 0{Tkl) bit operations, and 
three modular exponentiations, each taking 0{k^l) bit operations. Therefore, 
key generation takes 0(fc® -|- 1‘^T -|- -I- klT)) bit operations. 

Note that, similarly to the GQ scheme, n and e^’s may be shared among 
users if n is generated by a trusted party, because each user need not know the 
factors of n. Each user can simply generate its own ti and v. 

Key Update. Key update cannot multiply all the relevant Cj’s modulo (f>{n), be- 
cause 4’{n) is not available (otherwise, the scheme would not be forward-secure). 
Therefore, it has to perform 0(T) modular exponentiations separately, in addi- 
tion to regenerating all the Cj’s. Thus, it takes 0{k^lT + 1‘^T) bit operations. 

Note that the I'^T component is present in the running time for the update 
algorithm because of the need to regenerate the Ci’s each time. However, for 
practical values of I (on the order of 100) and k (on the order of 1000), I'^T is 
roughly the same as k^lT, so this only slows down the key update algorithm by 
a small constant factor. Moreover, in Section lO we show how to reduce the I'^T 
component in both key generation and update to (Z^ +log^ T)T (at a very slight 
expense to signing and verifying). 

Finally, as shown in Section H.2L if we are willing to increase secret storage 
from 2k bits (for Sj and t_,+i) to (l-|-log 2 T)k bits, then we can replace the factor 
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algorithm IR.key(fc, /, T) 

Generate random (\k/2\ — l)-bit primes q\,q 2 s.t. pi = 2qi + 1 are both prime 

n -s- pip 2 

ti^Z* 

Generate primes d s.t. 2*(1 + {i — l)/r) < a < 2*(1 + i/T) for i = 1, 2, . . . , T. 
(This generation is done either deterministically or using a small seed seed 
and H as a pseudorandom function.) 

/2 <— 62 • . . . • 6 t mod 4>{n), where ()>(n) = 4q^q2 

Si t— mod n 

V t— 1/sj^ mod n 

t 2 <— mod n 

SKi t— (1, T, n, si, t2, 6i, seed) 

PK t— (n, V, T) 
return {SK\, PK) 



algorithm IR.update(5'A'j) 

Let SKj = {j,T,n, Sj,tj+-i_,ej, seed) 

if j ~ T then return e 

Regenerate 6 j+i, . . . , 6 t using seed 

Sj+i <— mod n; tj +2 t— mod n 

return SKjj^i — {j + l,T,n, Sj+i,tj+ 2 ,ej+i, seed) 



algorithm IR.sign(S'A'j, M) 

Let SKj = {j,T,n, Sj,tj+-i_,ej, seed) 

y t— mod n 
cr ^ H{j,ej,y,M) 
z t— rs“^ mod n 
return (z,a,j,ej) 



algorithm IR.ver(P/f, M, (z, cr, j, e)) 

Let PK = (n, v) 

if e > 2*(1 + j/T) or e < 2* or e is even then return 0 
if z = 0 (mod n) then return 0 
y' <— z’^v'^ mod n 

if (T = H{j,e,y' , M) then return 1 else return 0 



Fig. 2. Our forward-secure signature scheme (without efficiency improvements) 
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of T in the cost of update by the factor of log 2 T, to get update at the cost of 
0((/^ -I- k‘^l)\ogT) (or, if optimization of Section 14 . 1 1 is additionally applied, 
0{{kH + l^ + \og^T) logT)). 

Sizes. All the key and signature sizes are comparable to those in the ordinary 
GQ scheme. 

The public key has I + 1 fewer bits than the GQ public key, and the signatures 
have I + 1 more bits, because e is included in the signature rather than in the 
public key. In addition, both the public key and the signature have log 2 T more 
bits in order to accommodate T in the public key and the current time period in 
the signature (this is necessary in any forward-secure scheme). Thus, the total 
public key length is 2k -|- log 2 T bits, and signature length is k + 2l + l + log 2 T 
bits. Optimization of Section shortens the signatures slightly, replacing I + 1 
of the signature bits with about log 2 T bits. 

The secret key is k + 21og2T -|- |seed| bits longer than in the GQ scheme in 
order to accommodate the current time period j, the total time periods T, the 
value tj+i necessary to compute future keys and the seed necessary to regenerate 
the 6i’s for i > j. Thus, the total secret key length is 3fc-|- ^ -I- 1 -I- \ seed \ -|- 2 log 2 T 
bits (note that only 2k of these bits need to be kept secret). If the optimization 
of Section ^21 is used, then the secret contains an additional k{\og 2 T — 1) bits, 
all of which need to be kept secret. 



3.4 Security 



The exact security of our scheme (in the random oracle model) is close to the 
exact security of the schemes of jH M hhIA HOOj . The proof is also similar: it closely 
follows the one in mm, combining ideas from mmmmm- 

First, we state the following theorem that will allow us to upper-bound the 
insecurity function. The full proof of the theorem is very similar to the one in 
and is contained in Appendix 1X1 



Theorem 1. Given a forger F for IR[fc, I, T] that runs in time at most t, asking 
9hash hash queries and qsig signing queries, such that Succ^'^'*‘®(IR[fc, I, T],F) > e, 
we can construct an algorithm A that, on input n (a product of two safe primes ), 
a G Z* and I, runs in time t' and outputs (/3, r) such that 1 < r < 2*+^ and 
f3^ = a (mod n) with probability e' , where 

t' = 2t + 0{lT{fT'^ + k^)) 

, ^ (£-2^-'^gsig(ghash + l))^ _ £ - 2^-'^gsig(ghaah + 1) 
T2(ghash+1) 2'T 



Proof Outline. A will use F as a subroutine. (Note that A gets to provide 
the public key for F and to answer its signing and hashing queries.) A bases the 
public key u on a as follows: it randomly guesses j between 1 and T, hoping that 
F’s eventual forgery will be for the j-th time period. It then generates ei, . . . , bt 
just like the real signer, sets tj+i = a and computes v as v = 1/tjfff mod n, 
where, as above, fj+i = ej+i • . . . • ex- 
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Then A runs F. Answering F’s hash and signature queries is easy, because A 
fully controls the random oracle iJ. If A’s guess for j was correct, and F indeed 
will output a forgery for the j-th time period, then F’s break-in query will be 
for the secret of a time period b > j. A can compute the answer as follows: 
tb +1 = and st = 4'’+^ = ot^er 

components of SKf, are not secret, anyway). Suppose A’s guess was correct, and 
in the end F outputs a signature {z, a, j, e) on some message M. We will assume 
that F asked a hash query on (j, e, y, M) where y = z^v'^ mod n {F can always 
be modified to do so.) 

Then, A runs F the second time with the same random tape, giving the same 
answers to all the oracle queries before the query (j, e, y, M). For (j, e, y, M), A 
gives a new answer r. If F again forges a signature {z',T,j,e) using the same 
hash query, we will have that y = z^v'^ = z'^v'^ (mod n), so {zjz'Y = v^~'^ = 
(mod n). Note that because e is guaranteed to be relatively prime 
with fj+i, and a — t has at least one fewer bit than e, gcd(/j+i(CT — r),e) = 
gcd((T — T, e) < e (as long as tr yf r). Thus, r = e/ gcd(/j+i(r — a), e) > I and, 
by Lemma d A will be able to efficiently compute the r-th root of a. 

Please refer to Appendix El for further details. □ 

This allows us to state the following theorem about the insecurity function 
of our scheme. 

Theorem 2. For any t, ysig, (md qhash, 

InSecf"'“S(|R[fc^ r]. q^^^) < 

(yhash + l)InSeC®^®^(fc, I, t') + 2 *~*’^T(y'hash -I- 1) -I- 2^ *ysig(yhash + 1) , 
where t' = 2t + 0{lT{PT^ + fc^)). 

Proof. To compute the insecurity function, simply solve for {e — qsig{qhash + 
1))/T the quadratic equation in Theorem Ethat expresses e' in terms of e to get 

(e-22-'=y,ig(ghash + l))/P 

= 2 ^(yhash + 1) + y^2“^^(ghash d" I)^ d" S' {qhash + 1) 

^ 2 ^(yhash + 1) + + 's/ s' {qhash + 1) 

= 2 ^"'"^(yhash + 1) + £^(yhash + 1), 

and then solve the resulting inequality for e. □ 

4 Further Improving Efficiency 

4.1 Finding the e^’s Faster 

Finding efs takes time because they need to be Z -I- 1-bit primes. If we were able 
to use small primes instead, we could search significantly faster, both because 
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small primes are more frequent and because primality tests are faster for shorter 

lengths E 

We cannot use small primes directly because, as already pointed out, the eds 
must have at least I -I- 1 bits. However, we can use powers of small primes that 
are at least I -I- 1 bits. That is, we let be a small prime, 7r(ei) be such that 
^ 2 * and Ci = As long as tt is a deterministic function of its input 

e (for example, 7r(e) = Z/[log 2 eJ), we can replace e in the signature by e, and 
have the verification algorithm compute e = 

Of course, the verification algorithm still needs to ensure that e is relatively 
prime to 4>{n) and to Cb, . . . , ex- This is accomplished essentially the same way 
as before: we divide a space of small integers into T consecutive buckets of some 
size S each, and have each come from the i-th bucket: G [(i — l)S,iS). 

Then, when verifying a signature for time period j, it will suffice to check that e 
is odd and comes from a bucket no greater than the j-th: e < jS. It will be then 
relatively prime to Cb, . . . , ex, and therefore e = will be relatively prime to 
Cb, . . . , ex- 

When we used large primes, we simply partitioned the space of (Z -I- l)-bit 
integers into large buckets, of size 2^T each. We could have used smaller buckets, 
but this offered no advantages. However, now that we are using small primes, it 
is advantageous to make the bucket size S as small as possible, so that even the 
largest prime (about TS) is still small. 

Thus, to see how much this optimization speeds up the search for the e^’s, we 
need to upper-bound S. S needs to be picked so that there is at least one prime 
in each interval [(f — 1)5', iS') for 1 < f < T. It is reasonable to conjecture that 
the distance between two consecutive primes and Pn+i is at most (In^ Pn) 
pijS9B| . Therefore, because the largest prime we are looking for is smaller than 
TS, S should be such that S > hi^ TS. It is easy to see that S = 41n^T 
will work for T > 75. (As a practical matter, computation shows that, for any 
reasonable value of T, the value of S will be quite small: 5 = 34 will work for 
T = 1000, because the largest gap between the first 1000 primes is 34; by the 
same reasoning, S = 72 will work for T — 10^, S = 114 will work for T = 10®, 
and S = 154 will work for T = 10®.) Thus, the e^’s are all less than 4Tln^ T, 
and therefore the size of each ei is O(logT) bits. Thus, finding and testing the 
primality of the e^’s and then computing the e^’s takes 0(T(log^T -|- P)) time, 
as opposed to 0{TP) without this optimization. 

The resulting scheme will slightly increase verification time: the verifier needs 
to compute e from e. This takes time 0{P) (exponentiating any quantity to 
obtain an (Z-l-l)-bit quantity takes time 0{P)), which is lower order than 0{k^l) 
verification time. Moreover, it will be impossible to get to be exactly I + 1 
bits (it will be, on average, about I -I- (log 2 T)/2 bits). This will slow down both 
verification and signing, albeit by small amounts. Therefore, whether to use the 
optimization in practice depends on the relative importance of the speeds of 
signing and verifying vs. the speeds of key generation and update. 



® In fact, when a table of small primes is readily available (as it often is for reasonably 
small T), no searching or primality tests are required at all. 



346 G. Itkis and L. Reyzin 



4.2 Optimizing Key Update 

The key update in our scheme requires computing Si such that = 1/v mod n. 
Knowledge of Si_i, such that = 1/u mod n, does not help, because and 
Ci-i are relatively prime. The easiest way to compute Si requires knowledge 
of 4>{n): Si ^ mod 0 (n) However, the signer cannot store 4>{n ) — 

otherwise the forger would obtain it during a break-in, and thus be able to factor 
n and produce the past periods’ secrets (and signatures). The value of 4>{n) can 
be used only during the initial key generations stage, after which it should be 
securely deleted. 

To enable generation of current and future Si’s without compromising the 
past ones, we had defined (in Section 0 a secret ti for time period i, from 
which it was possible to derive all future periods’ secrets Sj>i. The update of 
ti to ti+i can be implemented efficiently (1 exponentiation). However, in this 
approach the computation of each Si from ti requires 0(T — i) exponentiations. 
This computation can be reduced dramatically if the storage is increased slightly. 

Specifically, in this section we demonstrate how replacing the single secret ti 
with log 2 T secrets can reduce the complexity of the update algorithm to only 
log 2 T exponentiations. 

Abstracting the Problem. Consider all subsets of = {1, 2, . . . , T}. Let 

n 

each such subset S correspond to the secret value ts = *. For example, 

ti corresponds to Zt, U corresponds to {i,i + 1, . . . ,T}, v~^ corresponds to the 
empty set, and each Si corresponds to the singleton set {i}. Raising some secret 
value ts to power corresponds to dropping i from S. 

Thus, instead of secrets and the exponentiation operation, we can consider 
sets and the operation of removing an element. Our problem, then, can be re- 
formulated as follows: design an algorithm that, given Zt, outputs (one-by-one, 
in order) the singleton sets {*} for 1 < * < T. The only way to create new sets is 
to remove elements from known sets. The algorithm should minimize the num- 
ber of element-removal operations (because they correspond to the expensive 
exponentiation operations). 

Fairly elementary analysis quickly demonstrates that the most efficient so- 
lution for this problem (at least for T that is a power of 2) is the following 
divide-and-conquer algorithm: 

Input: An ordered non-empty set A. 

Output: Singleton sets {cc}, for x G A, m order. 

Steps: If A has one element, output A and return. 

Remove the second half of A’s elements to get B. 

Recurse on B. 

Remove the first half of A’s elements to get C. 

Recurse on C. 

This algorithm takes exactly T log 2 T element-removal operations to output 
all the singletons. Moreover, the recursion depth is 1 -I- log 2 T, so only 1 -|- log 2 T 
sets need to be stored at any time (each set is just a consecutive interval, so the 
bookkeeping about what each set actually contains is simple). 
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This recursive algorithm can essentially be the update algorithm for our 
scheme: at every call to update, we run the recursive algorithm a little further, 
until it produces the next output. We then stop the recursive algorithm, save 
its stack (we need to save only log 2 T secrets, because the remaining one is the 
output of the algorithm), and run it again at the next call to update. A little 
more care needs to be taken to ensure forward security: none of the sets stored 
at time period i should contain elements less than i. This can be done by simply 
removing i from all sets that still contain in (and that are still needed) during 
the i-th update. The total amount of work still does not change. 

Because there are T calls to update (if we include the initial key generation), 
the amortized amount of work per update is exactly log 2 T exponentiations. 
However, some updates will be more expensive than others, and update will still 
cost 0{T) exponentiations in the worst case. We thus want to improve the worst- 
case running time of our solution without increasing the (already optimal) total 
running time. This can be done through pebbling techniques, described below. 

Pebbling. Let each subset of Zt correspond to a node in a graph. Connect 
two sets by a directed edge if the destination can be obtained from the source by 
dropping a single element. The resulting graph is the T-dimensional hypercube, 
with directions on the edges (going from higher-weight nodes to lower-weight 
nodes). We can traverse the graph in the direction given by the edges. We start 
at the node corresponding to Zt, and need to get to all the nodes corresponding 
to the singleton sets {f}. 

One way to accomplish this task is given by the above recursive algorithm, 
which has the minimal total number of steps. However, we would like to minimize 
not only the total number of steps, but also the number of steps taken between 
any two “consecutive” nodes {t} and {i + 1}, while keeping the memory usage 
low. We will do this by properly arranging different branches of the recursive 
algorithm to run in parallel. 

To help visualize the algorithm, we will represent each set stored as a pebble 
at the corresponding node in a graph. Then removing an element from a set cor- 
responds to moving the corresponding pebble down the corresponding directed 
edge. The original set may be preserved, in which case a “clone” of a pebble is 
left at the original node, or it may be discarded, in which case no such clone is 
left. Our goal can be reformulated as follows in terms of pebbles: find a pebbling 
strategy that, starting at the node Zt, reaches every node {i} in order, while 
minimizing the number of pebbles used at any given time (this corresponds to 
total secret storage needed), the total number of pebble moves (this corresponds 
to total number of exponentiations needed), and the number of pebble moves be- 
tween any two consecutive hits of a singleton (this corresponds to the worst-case 
cost of the update algorithm). 

The Pebbling Algorithm. We shall assume that T > 1 is a power of 2. The 
following strategy uses at most 1 -I- log 2 T pebbles, takes T log 2 T total moves 
(which is the minimum possible), and requires at most log 2 T moves per update. 

Each pebble has the following information associated with it: 

1. its current position, represented by a set P C Zt {P will always be a set of 

consecutive integers {Pmin , ■ • ■ , ^’max }); 
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2. its “responsibility,” represented by a set R C P [R will also always be a 
set of consecutive integers {-Rmin , • • • , ^max }; moreover |i?| will always be a 
power of 2). 

Each pebble’s goal is to ensure that it (together with its clones, their clones, 
etc.) reaches every singleton in its set P. If i? C P, then the pebble can move 
towards this goal by removing an element from P. If, however, R = P, then 
the pebble has to clone (unless |P| = |P| = 1, in which case it has reached 
its singleton, and can be removed from the graph). Namely, it creates a new 
pebble with the same P, and responsibility set R' containing only the second 
half of R. It then changes its own Rio R — R' (thus dividing its responsibility 
evenly between itself and its clone) . Now both the pebble and the clone can move 
towards their disjoint sets of singletons. 

We start with a single pebble with P = R = Zt- The above rules for moving 
and cloning ensure that the combined moves of all the pebbles will be the same as 
in the recursive algorithm. Thus, the steps of the pebbles are already determined. 
We now have to specify the timing rules: namely, when the pebbles take their 
steps. A careful specification is important: if a pebble moves too fast, then it 
can produce more clones than necessary, thus increasing the total memory; if 
a pebble moves too slowly, then it may take longer to reach its destination 
singletons, thus increasing the worst-case cost of update. 

In order to specify the timing rules, we will imagine having a clock. The clock 
“ticks” consecutive integer values, starting with — T/2-I- 1. After each clock tick, 
each pebble will decide whether to move and, if so, for how many moves, as 
follows: 

1. The original pebble always makes two moves per clock tick, until it reaches 
the singleton {!}. After reaching the singleton it stops, and then removes 
itself from the graph on the next clock tick. 

2. After a new pebble is cloned with responsibility set R, it stays still for |"|P|/2] 
clock ticks. After [|P|/2]-th clock-tick following its birth, it starts moving 
at one move per clock tick. After |P| such moves, it starts moving a two 
moves per clock tick, until it reaches its leftmost singleton. After reaching 
the singleton it stops, and then removes itself from the graph on the next 
clock tick. 

We remark that the above rules may seem a bit complex. Indeed, simpler 
rules can be envisioned: for example, allowing each pebble at most one move 
per clock tick, and specifying that each pebbles moves following a given clock 
tick only if it absolutely has to move in order to reach its leftmost singleton on 
time. However, this set of rules will require (log 2 T) — 2 pebbles (even though 
at most log 2 T of them will be moving at any given time). Having pebbles move 
at variable speeds allows us to delay their cloning, and thus reduces the total 
number of pebbles, as shown by the following theorem. 

Theorem 3. Suppose T > 1 is a power of two. If i is the value most recently 
ticked by the clock, then the total number of pebbles under the above rules never 
exceeds 1 -I- [log 2 (T — t)J (if i > Oj or (log 2 T) — [log 2 — tj (if —T < i < 0). 
The number of moves occurring immediately following the clock tick i also never 
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exceeds this quantity. For each i, 1 < i < T, a pebble reaches the singleton i + 1 
immediately before the clock ticks the value i+1, and is removed before the clock 
ticks i + 2. 

Proof. The proof is by induction on log 2 T. 

For T = 2, we start with a single pebble with P = R = {1, 2}. After the clock 
ticks 0, this pebble clones the pebble with R' = 2, and itself moves to P = {!}. 
The clone waits for one clock tick and then, after the clock ticks 1, the clone 
moves to P = {2}. 

Suppose the statement is true for some T that is a power of two. We will 
now prove it for T' = 2T. After clock tick —T + 1, we have two pebbles: one 
responsible for {1, . . . , P}, and the other responsible for {P-|- 1, . . . , 2T}. For the 
next T/2 — 1 clock ticks, the first pebble will move at two steps per tick, and the 
second one will stay put (thus, the number of moves does not exceed the number 
of pebbles). After the clock ticks —P/2, the first pebble will arrive at position 
P = {1, . . . , P}. Thus, starting at t = — P -I- 1, the inductive hypothesis applies 
to the all the pebbles that will cover the first half of the singletons: there is a 
single pebble until t = —T /2 + 1 and it is in position P = {1, . . . , P} after clock 
tick — P/2 -|- 1. 

The second pebble will reach the position P' = {2, . . . ,P} after the clock 
ticks P/2. Thus, again, after the clock ticks 1, the inductive hypothesis applies 
to all the pebbles that will cover the second half of the singletons, except that 
time is shifted forward by P. That is, if 1 < f < P, then the number of pebbles 
in the second half does not exceed (log 2 P) — [log 2 (P — z)J, and if t > P, then 
the number of pebbles in the second half does not exceed 1 -I- [log2(2P — t)J. 

The key to finishing the proof is to realize that the first half will lose a pebble 
just as the second half gains one. To be precise, we can consider the following 
four cases. 

— For — P < t < 0, we have (log 2 P) — [log 2 —i\ pebbles in the first half (by 
the inductive hypothesis), and one pebble in the second half, so we have a 
total of (log 2 2P) — [log 2 —i\ pebbles, as required. 

— For i = 0, we have 1 -I- log 2 P = log 2 2P pebbles in the first half (by the 
inductive hypothesis), and one pebble in the second half, for a total of 1 -I- 
log 2 2P pebbles, as required. 

— For 0 < z < P, we have 1 -I- [log 2 (P — z)J pebbles in the first half and 
(log 2 P) — [log 2 (P — z)J pebbles in the second half (both by the inductive 
hypothesis), for a total of H-log 2 P = 1-|- [log2(2P — i)J pebbles, as required. 

— For i > T, we have no pebbles in the first half and [log2(2P — z)J pebbles in 
the second half (by the inductive hypothesis), as required. 

It is easy to see that in each of the above four cases, the number of moves 
does not exceed the number of pebbles (because for every pebble moving at two 
steps per clock tick, there exists a pebble that is standing still — namely, its most 
recent clone). □ 

Security. It is, of course, crucial to ensure that the above changes to the update 
algorithm do not compromise the security of our scheme. It suffices to prove that 
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every secret stored following the clock tick i can be derived in polynomial time 
from ti+i- In other words, it suffices to prove that, following the clock tick i, no 
pebble’s position P satisfies i G P. This can be easily done by induction, as long 
as each pebble moves towards its goal by removing the smallest possible element 
from its position P (the inductive step is proved as follows: if 2T is the total 
number of time periods, then the single pebble responsible for the second half 
of the singletons will have removed {1, • . . ,T/2} from its position following the 
clock tick 1, and will have removed {1 , . . . ,T} following the clock tick T/2+ 1). 

Acknowledgements. We thank Anna Lysyanskaya and Silvio Micali for help- 
ful discussions about our complexity assumptions; Ron Rivest for sharing his 
insights on pebbling algorithms; and the anonymous referees for helpful com- 
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A Details of the Proof of Theorem m 

First, we assume that if F outputs {z, a, j, e) as a forgery, then the hashing oracle 
has been queried on (j,e,y, M), where y = mod n (any adversary can be 
modified to do that; this may raise the number of hash queries to 9hash + !•) 
We will also assume that F performs the necessary bookkeeping and does not 
ask the same hash query twice0 Note that F may ask the same signature query 
twice, because the answers will most likely be different. 

Recall that A’s job, given a and n, is to find (with F’s help) [3 and r > 1 
such that /?’' = a (mod n). First, A has to guess the time period for which F 
will output the forgery: it randomly selects j , 1 < j < T (sometimes A may also 
succeed if the forgery is for a time period i < j, but this not necessary for our 
argument). A then generates ei, . . . , just like the real signer, sets tj+i = a 
and computes v as v = 1/tj^/ mod n, where, as above, /j+i = e^+i • . . . • ep- 
A then comes up with a random tape for F, remembers it, and runs F on 
that tape and the input public key (n,v,T). If F breaks in at time period b, 
then A can provide F with the secret key as long as b > j: knowing will 



This may slightly increase the running time of F, but we will ignore costs of simple 
table look-up for the purposes of this analysis. 
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allow A to compute Sb and tb+i- If b < j, then A aborts (because, in particular, 
F’s forgery cannot be for time period j in that case). 

To answer F's signature and hash queries, A maintains two tables: a signature 
query table and a hash query table. 

Signature queries can be answered almost at random, because A controls the 
hash oracle. In order to answer a signature query number s on a message Ms 
during time period js, A selects a random Zg G Z* and CTs G {0, 1}^, computes 
ys = and checks its signature query table to see if a signature query on 

Mg during time period jg has already been asked and if yg used in answering it. 
If so, A changes Zg and ag to the z and a that were used in answering that query. 
Then A adds the entry {s, js,ej^,yg,ag, Zg, Mg) to its signature query table and 
outputs {zs,ag,js,ejj. 

Hash queries are also answered at random. To answer the t-th hash query 

e(, ?/(, M/), A first checks its signature query table to see if there is an entry 
{s,js,ej^,yg,ag,Zg,Mg) such that {jg,€j^,yg, Mg) = {j[,e'^,y[,M[). If so, it just 
outputs ag. Otherwise, it picks a random a[ G {0, 1}*, records in its hash query 
table the tuple {t,y[,M[,j[,e^,a[) and outputs a[. 

Assume now the break-in query occurs during time period b > j, and the valid 
forgery (z, a, i, e) is output for a time period i < j (if not, or if no valid forgery is 
output, A fails). Let y = z^v°'. Because we modified F to first ask a hash query 
on (i, e, y, M), we have that, for some h, {h, y, M, i, e, a) = {h, M'j^,j'f^, e),, ct(,) 

in the hash query table (it can’t come from the signature query table, because 
F is not allowed to forge a signature on a message for which it asked a signature 
query). A finds such an h in its table and remembers it. 

A now resets F with the same random tape as the first time, and runs it 
again, giving the exact same answers to all F’s queries before the h-th hash 
query (it can do so because it has all the answers recorded in the tables). Note 
that this means that F will be asking the same h-th hash query (i, e, y, M) as 
the first time. As soon as F asks the h-th hash query, however, A stops giving 
the answers from the tables and comes up with new answers at random, in the 
same manner as the first time. Let r be the new answer given to the h-th hash 
query, and assume t ^ a. 

Assume again the break-in query occurs during time period b > j, and the 
valid forgery (z', a', z', e') is output for a time period i' < j. A again computes 
y' = z'® ; by the same reasoning as before, F had to ask a hash query on 

(*', e', y', M'). Let h' be the number of that query. A finds h' and fails if h' yf h. 
If, however, h' = h, then (i,e,y,M) = {i' ,e' ,y' , M'), simply because the h-th 
hash query had to be the same in both runs of F. Also then a' = r. Therefore, 
zeycr = SO (z/z')® = v^~'^ = (mod N). 

Note that because e is guaranteed to be relatively prime with fj^i (as long 
as i < j), and a — t has at least one fewer bit than e, gcd(/y+i((T — r),e) = 
gcd(cr — T, e) < e (as long as cr yf r). Thus, r = e/ gcd{fj+i{a — r), e) > 1 and, 
by Lemma El A will be able to efficiently compute the r-th root of a. 

Running Time Analysis. A runs F twice. Preparing the public key and 
answering hashing and signing queries takes A no longer than it would take the 
real oracles. To find the hashing query corresponding to the forgery and to apply 
Lemma □ takes 0{IT{PT‘^ -G fc^)) bit operations. 
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Probability Analysis. We will need the following lemma in our analysis. 

Lemma 2. Let oi, U 2 , ■ ■ ■ ,a\ be real numbers. Let a = ^ ~ 

Then s > ^. 



Proof. Let b = a/X and h^ = b — a^. Then Hence 

ELi = ELi(^ - = A62 - 26ELi bu + ELi ^ = ^ • □ 



First, consider the probability that A’s answers to F’s oracle queries are 
distributed as those of the true oracles that F expects. This is the case unless, 
for some signature query, the hash value that A needs to define has already 
been defined through a previous answer to a hash query (call this “A’s failure to 
pretend”). Because z is picked at random from Z„*, z^v'^ is a random element 
of Z*. The probability of its collision with a value from a hash query in the same 
execution of F is at most (quash + l)/|^nl thus, the probability (taken over only 
the random choices of A) of A’s failure to pretend is at most gsig(9hash + l)/|-^^| < 
9 sig( 9 hash + l)2^“^ (because \Z*\ = -iqiq 2 > 2^“^). This is exactly the amount by 
which F’s probability of success is reduced because of interaction with A rather 
than the real signer. Let 6 = e — gsig(9hash + 1)2^“*. 

Let £h be the probability that F produces a successful forgery and that its 
break-in query occurs in time period b. Clearly, S = E^ 2 ^ (if ^ then F 
cannot forge for any time period) . Assume now that A picked j = b — I for some 
fixed b. The probability of that is 1/T. 

We will now calculate the probability of the event that F outputs a valid 
forgery based on the same hash query both times and that the hash query was 
answered differently the second time and that the break-in query was b both 
times. Let ph,b be the probability that, in one run, F produces a valid forgery 
based on hash query number h after break-in query in time period b. Clearly, 



<?hash~l”l 

~ ^ ^ Ph.b 

h=l 



Let ph,b,s (for a sufficiently long binary string S of length m) be the probability 
that, in one run, F produces a valid forgery based on hash query number h after 
break-in query in time period b, given that the string S was used to determine 
the random tape of F and the responses to all the oracle queries of F until (and 
not including) the h-th hash query. We have that 



‘2"^Ph,b = ^ Ph,b,S- 

SG{0,1}"* 

Given such a fixed string S, the probability that F produces a valid forgery based 
on the hash query number h after break-in query in time period b in both runs is 
Phb s (because the first forgery is now independent of the second forgery) . The 
additional requirement that the answer to the hash query in the second run be 
different reduces this probability to Ph,b,s{Ph,b,s ~ 2“^). Thus, the probability 
qh,b that F produces a valid forgery based on the hash query number h in both 
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runs and that the answer to the hash query is different in the second run and 
that the break-in query was b in both runs is 



qh,b = ^ "^Ph,b,s{Ph,b,s - 2 ') 

Sg{0,1}'" 



= 2 ~ 



Ph,b,S ~ 2 ’’ ^2 Pl^,b,S 

iSG{ 0,1}™ SGtO,!}”" 



> 



2-™ {Ph,b2n" 



- 2 ''ph,b = Ph,b - 2 ‘ph,b 



(by Lemma E|). 

The probability that F outputs a valid forgery based on the same hash query 
both times and that the hash query was answered differently in the second run 
and that the break-in query occurred in time period i is now 



^hash~l”l Q'hash~l”l 

qh,b > Y P^b 
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E 
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(by Lemma 121) • 

Note that if this happens, then the forgery occurs in time period i < b = j + 1 
(because the forgery has to occur before the break-in query), so A will be able 
to take a root of a. 

Finally, we again use Lemma 0 to remove the assumption that A picked 
j = b — 1 as the time period to get the probability of A’s success: 



1 ^+1 / 
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Abstract. The notion of on-line/off-line signature schemes was intro- 
duced in 1990 by Even, Goldreich and Micali. They presented a general 
method for converting any signature scheme into an on-line/off-line sig- 
nature scheme, but their method is not very practical as it increases 
the length of each signature by a quadratic factor. In this paper we use 
the recently introduced notion of a trapdoor hash function to develop a 
new paradigm called hash-sign-switch, which can convert any signature 
scheme into a highly efficient on-line/off-line signature scheme: In its rec- 
ommended implementation, the on-line complexity is equivalent to about 
0.1 modular multiplications, and the size of each signature increases only 
by a factor of two. In addition, the new paradigm enhances the security of 
the original signature scheme since it is only used to sign random strings 
chosen off-line by the signer. This makes the converted scheme secure 
against adaptive chosen message attacks even if the original scheme is 
secure only against generic chosen message attacks or against random 
message attacks. 

Keywords: signature schemes, on-line/off-line, trapdoor hash functions. 



1 Introduction 

Digital signature schemes are among the most fundamental and useful inven- 
tions of modern cryptography. In such schemes, each user generates a (private) 
signing key and a (public) verification key. A user signs a message using his pri- 
vate signing key, and anyone can authenticate the signer and verify the message 
by using the signer’s public verification key. A signature scheme is considered 
to be secure if signatures on new messages cannot be forged by any attacker 
who knows the user’s public key but not his private key. Many constructions of 
signature schemes appear in the literature, but most of these schemes have un- 
proven security, and the few schemes that are provably secure (under standard 
cryptographic assumptions) are not fast enough for many practical applications. 
Signature schemes that are efficient and provably secure are interesting both 
from a practical and a theoretical point of view. 

In this paper, we introduce a general method for simultaneously improving 
both the security and the real-time efficiency of any signature scheme by con- 
verting it into an efficient on-line/off-line signature scheme. This notion was first 

J. Kilian (Ed.): CRYPTO 2001, LNCS 2139, pp. 355-^3 2001. 
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introduced by Even, Goldreich and Micali p. The idea is to perform the sig- 
nature generating procedure in two phases. The first phase is performed off-line 
(before the message to be signed is given) and the second phase is performed on- 
line (after the message to be signed is given). On-line/off-line signature schemes 
are useful, since in many applications the signer has a very limited response time 
once the message is presented, but he can carry out costly computations between 
consecutive signing requests. On-line/off-line signature schemes are particularly 
useful in smart card applications: The off-line phase is implemented either dur- 
ing the card manufacturing process or as a background computation whenever 
the card is connected to power, and the on-line phase uses the stored result of 
the off-line phase to sign actual messages. The on-line phase is typically very 
fast, and hence can be executed efficiently even on a weak processor. 

Some signature schemes can be naturally partitioned into off-line and on- 
line phases. For example, the first step in the Fiat-Shamir, Schnorr, El-Gamal 
and DSS signature schemes does not depend on the given message, and can 
thus be carried out off-line. However, these are particular schemes with special 
structure and specific security assumptions rather than a general and provably 
secure conversion technique for arbitrary signature schemes. 

Even, Goldreich and Micali presented a general method for converting any 
signature scheme into an on-line/off-line signature scheme. Their method uses a 
one-time signature scheme, i.e., a scheme which can securely sign only a single 
message. The essence of their method is to apply (off-line) the ordinary signing 
algorithm to authenticate a fresh one-time verification key, and then to apply 
(on-line) the one-time signing algorithm, which is typically very fast. In the basic 
IP construction of a one-time bit-oriented signature scheme, the size of each 
signature is (where k is the size of the message and the security parameter). 
Additional constructions were proposed in P, but they offer a very inefficient 
tradeoff between the size of the keys and the complexity of the one-time signing 
algorithm. In this paper, we present a method that increases the length of the 
signatures by an additive (rather than multiplicative) factor of k bits. 

Our method uses a special type of hash functions, called trapdoor hash func- 
tions. These functions were recently introduced by Krawczyk and Rabin P, who 
used them to construct chameleon signatures. Ghameleon signatures are signa- 
tures that commit the signer to the contents of the signed message (as regular 
signatures do) but do not allow the recipient of the signature to convince third 
parties that a particular message was signed, since the recipient can change the 
signed message to any other message of his choice. 

A trapdoor hash function is associated with a public key and a private key, 
referred to as the hash key HK and the trapdoor key TK, respectively. Loosely 
speaking, a trapdoor hash function is a probabilistic function h, such that colli- 
sions are difficult to generate when only HK is known, but easy to generate when 
TK is also known. More formally, given only HK., it is hard to find two messages 
m,m! and two auxiliary numbers r, r' such that h{m;r) = h{m';r'), but given 
{HK, TK) and to, to', r', it is easy to find r such that h{m; r) = h{m'] r'). Note 
that this requirement is weaker than the requirement of trapdoor permutations. 
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and thus it may be easier to find efficient trapdoor hash functions than to find 
efficient signature schemes based on trapdoor permutations. 

The essence of our method is to hash the given message using a trapdoor 
hash function (rather than a regular hash function) and then to sign the hashed 
value using the given signature scheme. The resultant signature scheme can be 
implemented as an on-line /off-line signature scheme as follows: The off-line phase 
uses the original signature scheme to sign the hash value h(m! \ r') of a random 
message m! and a random auxiliary number r' . Given an actual message m, 
the on-line phase uses the same precomputed signature of the randomly chosen 
m' as a signature of the given message to, by using the trapdoor key to find 
a collision of the form h{m']r') = h{m;r). The signature of to consists of the 
new auxiliary number r and the precomputed signature of h(rn'; r'). We call this 
paradigm a hash- sign- switch scheme. Notice that the on-line phase is completely 
independent of the original signature scheme, and consists only of finding a 
collision of the trapdoor hash function. In particular, we describe a trapdoor 
hash function in which collisions can be found with time complexity equivalent 
to about 0.1 modular multiplications. Hence, for any signature scheme, its on- 
line/off-line version can be implemented such that the on-line phase requires only 
this negligible time complexity, and the size of the signature is only increased 
by adding r to the original signature. 

For any signature scheme, we prove that our on-line/off-line version is at 
least as secure as the original scheme, provided that the trapdoor hash family is 
secure. In fact, we prove that the converted scheme is even more secure than the 
original scheme, since the original scheme is only applied to random messages 
chosen exclusively by the signer. In particular, we can show that the on-line/off- 
line signature scheme is secure against adaptive chosen message attacks even 
if the original signature scheme is secure only against generic chosen message 
attacks or random message attacks. Note for example, that the Rabin signature 
scheme ^ and the RSA signature scheme P are not secure against adaptive 
chosen message attacks, but are believed to be secure against random message 
attacks, and hence we believe that our method enhances the security of these 
schemes. 

2 Definitions and Constructions 

In this section, we introduce the basic notations and definitions used in this paper 
and present some constructions of trapdoor hash functions. For any binary string 
X, we denote by \x\ the length of x. For any finite set V, the notation x V 
implies that x is uniformly distributed in V . 

We consider the following types of attacks: 

— Random message attack: The attacker has access to an oracle that signs (with 
the unknown signing key SK) random message chosen by the oracle. 

— Generic chosen message attack: The attacker is given signatures for a list of 
messages of his choice. However, this list should be produced before any 
signature is given, and should be independent of the verification key VK. 
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— Adaptive chosen message attack: The attacker has access to an oracle that 
signs any queried message m. In particular, the choice of each query m 
can depend on the verification key VK and on the signature produced for 
previous messages. 

— Q-adaptive chosen message attack: An adaptive chosen message attack where 
the attacker can query the oracle at most Q times. 

In this work, a signature scheme is considered to be secure (against a certain 
type of attack) if there does not exist a probabilistic polynomial-time forger 
that generates a pair consisting of some new message (that was not previously 
presented to the oracle) and a valid signature, with a probability which is not 
negligible. This property was called existential unforgeability in P). 

In the remaining part of this section, we concentrate on the notion of a 
trapdoor hash function |3] . A trapdoor hash function is a special type of hash 
function, whose collision resistance depends on the user’s state of knowledge. 
Every trapdoor hash function is associated with a pair of public key and private 
key, referred to as the hash key HK and the trapdoor key TK, respectively: 

Definition 1. (trapdoor hash family) A trapdoor hash family consists of a pair 
{XjTL) such that: 

— I is a probabilistic polynomial-time key generation algorithm that on input 
1^ outputs a pair {HK, TK), such that the sizes of HK,TK are polynomially 
related to k. 

— H is a family of randomized hash functions. Every hash function in H is 
associated with a hash key HK, and is applied to a message from a space 
A4 and a random element from a finite space TZ. The output of the hash 
function hnK does not depend on TK. 

A trapdoor hash family {I, TL) has the following properties: 

1. Efficiency: Given a hash key HK and a pair {m,r) G M x TZ, hHK{m',r) is 
computable in polynomial time. 

2. Collision resistance: There is no probabilistic polynomial-time algorithm A 
that on input HK outputs, with a probability which is not negligible, two 
pairs (mi, ri), (m 2 , T 2 ) G AixTZ that satisfy mi ^ m 2 and ft.ij_R-(mi; ri) = 
^ffif(m 2 ;r 2 ) (the probability is over HK, where {HK,TK) t— I(l^), and 
over the random coin tosses of algorithm Aj. Q 

3. Trapdoor collisions: There exists a probabilistic polynomial time algorithm 
that given a pair {HK,TK) G- I(l^), a pair (mi,ri) G M x TZ, and an 
additional message m 2 G AA, outputs a value r 2 GTZ such that: 

- hHK{mi-,ri) = hHK{m2',r2). 

— If r\ is uniformly distributed in TZ then the distribution of r 2 is compu- 
tationally indistinguishable from uniform in TZ. 

^ Note that it is not required that given one collision it remains hard to find new 
collisions. Indeed, all the constructions that we present have the property that given 
a hash key HK and given a single collision of huK, one can easily compute a trapdoor 
key TK such that the pair {HK,TK) is in the range of T{1^). 
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We refer to every member of a trapdoor hash family as a trapdoor hash function. 
We now present three constructions of trapdoor hash families. The first two 
constructions were presented in and the third construction is a new one. 

1. A trapdoor hash function based on the Factoring assumption. 

— The key generation algorithm I: Choose at random two primes p,q G 
{0^ l}fc/2 p = 3 {mod 8) and q = 7 {mod 8), and compute 

n = pq. The public hash key is n and the private trapdoor key is (p, q). 
— The hash family T-L\ For a hash key n, Hhk is a function from At x 
QRn, where M is any suffix free subset of {0, 1}* and QRn G 

■^nl(f) = (f) = !}• Given a message m = m[l]m[2] . . . m[|m|] and a 

def 

random value r Gr QRn, hHK{m] r) = fm[i] ° fm[ 2 ] o ■■■ o fjn[\m\]{r), 
where fo{x) {mod n) and fi{x) {mod n). (Note that 

/i(m; r) = ' {mod n)). 

Remark 1. The functions /o and fi were introduced in |0], who proved that 
they are claw free permutations, and used this property to construct an 
(inefficient) provably secure signature scheme. 

Lemma 1. The pair {T,TL) is a trapdoor hash family, under the Factoring 
Assumption. 

A proof of this lemma appears in Appendix This trapdoor hash func- 
tion has the following additional property: There exists a probabilistic 
polynomial-time algorithm that given a pair {F[K,TK) (of hash key and 
trapdoor key), a message m G Ai and any value c in the image of hnK, 
outputs r gTZ such that: 

- hHK{m;r) = c. 

— If c is uniformly distributed (in the image of huK) then the distribution 
of r is computationally indistinguishable from uniform (in TV). 

Note that this inversion property is stronger than the ability to generate 
collisions. We will use it to convert any signature scheme which is provably 
secure only against random message attacks into a signature scheme which 
is provably secure against adaptive chosen message attacks. 

2. A trapdoor hash family based on the Discrete Log Assumption 

— The key generation algorithm X. Choose at random a safe prime p G 

{0, 1}^ (i-O., a prime p such that q is prime) and an element 

(7 G Z* of order q. Choose a random element a Gr Z* and compute 
y = g°‘ {mod p). The public hash key is {p, g, y) and the private trapdoor 
key is a. 

— The hash family Ti. For FIK = {p,g,y), hnK ■ Zq x Zq — >• Z* is defined 
as follows: hHK{m; r) g'^y^ {mod p). 

Lemma 2. The pair {X,Ti) is a trapdoor hash family, under the Discrete 
Log Assumption. 

A proof of this lemma appears in Appendix e 
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3. A new trapdoor hash family based on the Factoring Assumption. 
— The key generation Algorithm I. Choose at random two safe primes p,q G 
{0, 1}^/^ (i.e., primes such that p' and q' are primes) and 

compute n = pq. Choose at random an element g G Z* of order A(n) 
(A(n) lcin{p— 1,9—1) = 2p'q'). The public hash key is (n, g) and the 
private trapdoor key is {p, q) . 

— The hash family %. For HK = {n,g), Hhk '■ Zn x Zx(^„-j — > Z* is 

defined as follows: hHK{rn; r) (where mor denotes the 

concatenation of m and r) . 

Lemma 3. The pair (I, Tf) is a trapdoor hash family, under the Factoring 
Assumption. 

A proof of this lemma appears in Appendix o 

We summarize the efficiency analysis of these three constructions of trapdoor 
hash families in the following table . We assume that the messages in A4 and 
the random seeds in TZ are of size ~ k. 



Construction 


Computing hnK 


Finding collisions 


Inversion prop. 


Assumption 


1 


k mult. 


~ 5 exp. 


YES 


Factoring 


2 


1 exp. 


K. 1 mult. 


NO 


Discrete Log 


3 


1 exp. 


« 0.1 mult. 


NO 


Factoring 



Remark 2. The complexity of collision finding in construction 3 is equivalent to 
about one tenth of a regular modular multiplication, since for 1024 bit keys and 
160 bit (hashed) messages, it requires only two additions/subtractions and one 
reduction of a 1184 bit number modulo a 1024 bit number. See Appendix C for 
further details. 



Remark 3. The relaxed security conditions of trapdoor hash functions may lead 
to new types of signature schemes whose hash functions are based on multi- 
variate polynomials. Most of the multivariate signature schemes proposed so far 
were broken by attacking their hidden inversion structure. In the new paradigm, 
there is no need to invert h{m; r) = c, and thus they may be more resistant to 
cryptanalytic attacks. 

3 The Hash-Sign-Switch Paradigm 

We now introduce our general method for combining any trapdoor hash family 
(I, Tf) and any signature scheme {G,S,V) to get an on-line/off-line signature 
scheme. For a security parameter k, we construct an on-line/off-line scheme 
{G' , S' ,V), as follows. 
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— The Key Generation Algorithm G' . 

1. Generate a pair (SK^ VK) of signing key and verification key, by apply- 
ing G to the input (where G is the key generation algorithm of the 
original scheme). 

2. Generate a pair {HK^ TK) of hash key and trapdoor key, by applying X 
to the input (where X is the key generation algorithm of the trapdoor 
hash family). 

The signing key is {SK, HK,TK) and the verification key is {VK,HK). 

— The Signing Algorithm S'. Given a signing key {SK, HK, TK), the sign- 
ing algorithm operates as follows. 

1. Off-line phase: 

• Ghoose at random {m',r') Gr Ai x TZ, and compute hHK{'m';r') 
(using HK). 

• Run the signing algorithm S with the signing key SK to sign the 
message hHK{'m';r'). Denote the output SsK{hHK{m';r')) by S. 

• Store the pair {m',r'), the hash value hHx{m']r'), and the signa- 
ture S. (The hash value hHK{'m'',f’') is stored only to avoid its re- 
computation in the on-line phase). 

2. On-line phase: Given a message m, the on-line phase proceeds as follows. 

• Retrieve from memory the pair (m', r'), the hash value huKijn'', r'), 
and the signature E. 

• Find r gTZ such that hHx{m; r) = hnKi'^n'', r'). 

• Send (r, A") @ as a signature of m. 

— The Verification Algorithm V'. To verify that the pair (r, E) is indeed a 
signature of the message m, with respect to the verification key (VK,HK), 
compute hHK('m]f) and use the verification algorithm V (of the original 
signature scheme) to check that E is indeed a signature of the hash value 
hHK{m',r) with the verification key VK. 

We now analyze the security and the efficiency of the resultant on-line/off-line 
signature scheme. 



3.1 Efficiency 

The off-line phase of the signing algorithm consists of one evaluation of the 
trapdoor hash function and one invocation of the original signing algorithm. 
The verification algorithm of the on-line/off-line signature scheme consists of 
one evaluation of the trapdoor hash function and one invocation of the origi- 
nal verification algorithm. Hence, the additional overhead of the off-line signing 
phase and the verification algorithm is a single evaluation of the trapdoor hash 
function. The on-line phase consists of a single collision finding computation. 

^ Note that the signature (r, E) has the property that the distribution of r is com- 
putationally indistinguishable from uniform in TZ, and that the distribution of E is 
identical to the distribution of SsK{hHK{m\r)). 
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Using the third type of trapdoor hash function presented in Section |2 evalu- 
ation requires one modular exponentiation, and collision finding requires about 

0.1 modular multiplications. The length of the keys and the length of the sig- 
natures increase only by a factor of two, which is much better than in previous 
proposals. 

3.2 Security 

The general conversion technique proposed in this paper preserves the security 
of the original signature scheme, and even improves it in some respects since the 
opponent cannot control the random strings it is asked to sign during the off- 
line phase. We can thus prove that our on-line/off-line signature scheme is secure 
against adaptive chosen message attacks, even if the original signature scheme is 
secure only against generic chosen message attacks. Due to the practical emphasis 
of this work, we focus on exact security, rather than on asymptotic security. 

Lemma 4. Let (G, S, V) be a signature seheme and let (I, T-L) be a trapdoor 
hash family. Let (G' , S' ,V) be the resultant on-line/off-line signature scheme. 
Suppose that (G', S', V') is existentially forgeable by a Q-adaptive chosen mes- 
sage attack in time T with success probability e. Then one of the following cases 
holds: 

1. There exists a probabilistic algorithm that given a hash key HK, finds col- 
lisions of Lhk in time T -\- Tq -\- Q{T'u -\- Tg) with success probability > | 
(where Tq is the running time of G, T-^ is the running time required to 
compute functions in TL, and Tg is the running time of S). 

2. The original signature scheme (G, S, V) is existentially forgeable by a generic 
Q-chosen message attack in time T -\-Q(T-f^-\-Tcog)-\-Tj with success proba- 
bility > I (where Tqql is the time required to find collisions of the trapdoor 
hash function given the hash key and the trapdoor key, and T/ is the running 
time of algorithm I ). 

Proof. Suppose that T' is a probabilistic algorithm that given a verification key 
{HK,VK), forges a signature with respect to the signature scheme {G',S',V') 
by a Q-chosen message attack in time T with success probability e. Let 
denote the Q queries that the forger T' sends to the signing oracle, and let 
{{ri, denote the corresponding signatures produced by the oracle. Let 

m, (r, U) denote the output of J-' . Since with probability > e, (r, E) is a valid 
signature of the message m (with respect to the on-line/off-line signature scheme 
{G' , S' ,V')), it follows that 

Pr[VvK{hHK{m;r), S) = 1] > e. 

Hence, one of the following cases holds: 

1. Pr[VvKihHKirn;r),E) = 1 k 3i s.t. hHK{m^;r^) = hHK{rn;r)] > f. 

2. Pr[VvK{hHK{m; r),S) = 1 & Vi, kHKimp, r/j / hHK{m; r)] > f . 
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If case 1 holds, then we define a probabilistic algorithm A that given a hash key 
HK finds collisions of the hash function hnK, as follows. 

1. Generate a pair (SK,VK) of signing key and verification key, by applying 
G to the input (where G is the key generation algorithm of the original 
signature scheme). 

2. Simulate the forger T' on the input (VK,HK), such that whenever T' 
queries the signing oracle S' with a query Wj, algorithm A operates as fol- 
lows: 

— Choose at random ri €rTZ and compute (m^; r^). 

— Generate a valid signature of (with respect to the original 

signature scheme (G, S', G)), by using the known signing key SK. Denote 
the generated signature of hHK(jrii;ri) by Si. 

— Proceed in the simulation of T' as if the signature obtained by the signing 
oracle S' was {n,Si). 

Note that the distribution of the simulated oracle is identical to the distribution 
of the real oracle, and hence with probability > |, .4 succeeds in obtaining a 
message m and a pair (r, S), such that for every i, m ^ rrii, and there exists i 
such that kHKirn'^r) = hHK{'mi',Ti). Hence, A succeeds in finding collisions to 
the hash function Hhk with probability > § in time T + Tc + Q{T-u + Ts). 

If case 2 holds, we define a probabilistic algorithm T that forges a signature 
with respect to (G, S, V) by a generic Q-chosen message attack, as follows. 

1. Generate a pair (HK,TK) of hash key and trapdoor key, by applying I to 
the input 1^ (where I is the key generation algorithm of the trapdoor hash 
family) . 

2. Choose at random Q pairs (m',r') Gr M x TZ and compute 

The set {^//^(m'; r')}^^ will be the set of queries to the signing oracle S. 

Given a verification key VK and given a set of signatures {Si}f_^ (where Si 
is a signature of hHKi'm-i'-, fi) with respect to the verification key VK), T simu- 
lates the forger T' on input {VK,HK) as follows. When T' queries the oracle 
with a message mi, T finds Vi G TZ such that hEKirriGri) = hHK{iri'i;r'i) and 
proceeds as if the signature obtained by the signing oracle S' was (r^. Si). Recall 
that Ti can be chosen such that if r' is uniformly distributed in TZ then ri is 
computationally indistinguishable from uniform in TZ. Hence, the distribution 
of the output of the simulated oracle is computationally indistinguishable from 
the distribution of the output of the real oracle. Thus, with probability > |, iF 
obtains a message m and a pair (r, S) such that: 

- hHK{m-,r) yf hHK{m'^,r'i) for every i=l,...,Q. 

— 41 is a valid signature of hHK{'rn;r) (with respect to the original signature 
scheme). 

Hence T succeeds in forging a new signature with probability > | in time T -\- 
Ti + Q{T-h + Tcol)- □ 
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Recalling the definitions of security, we get: 

Theorem 1. The resulting on-line/off-line signature scheme is secure against 
adaptive chosen message attacks, provided that the original scheme is secure 
against generic chosen message attacks. 

Our technique can be used to enhance the security of signature schemes even 
further. In particular, our conversion method can be used to convert any signa- 
ture scheme which is secure only against random message attacks into a signature 
scheme which is secure against adaptive chosen message attacks. Recall that in 
the proof of Lemma^ the signing oracle S' with a given query mi was simulated 
as follows: Retrieve from memory the signature Ei of hfjK(m!p, r') (obtained by 
the oracle), find an element such that hnKi'rni; Vi) = hHKim'p, r'), and output 
(ci, Ei) as a signature of mi. If the original scheme is only secure against random 
message attacks, then the forger T has access to an oracle that outputs pairs 
(ci, Ei), where Ci is a random message (generated by the oracle) and Ei is a valid 
signature of c^. Hence, using the same technique, to simulate the signing oracle 
S' with a given query mi one needs to find such that /i//^(mi; r^) = c^. Thus, 
we need the trapdoor hash family to have the following inversion property: given 
a pair {HK, TK), a message m S M, and an element c in the image of hnK, it 
is easy to find r gTZ such that: 

- hHK{m;r) = c. 

— The distribution of r is computationally indistinguishable from uniform in 
72., provided that for every m the distribution of c is computationally in- 
distinguishable from the distribution of hfjx(m]r), where r is uniformly 
distributed in 72. 0 

By applying our on-line/off-line conversion method with such a trapdoor hash 
family, we can modify the proof of Lemma 0 to prove that the signature scheme 
obtained is secure against adaptive chosen message attacks, provided that the 
original scheme is secure against random message attacks. 
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A Proof of Lemma Q] 

Proof. 1 . Efficiency: Clearly, given a hash key n and a pair (m; r) G At x QRn, 
the function h(m; r) = ' (mod n) can be computed in polynomial 

time. 

2 . Collision resistance: Assume to the contrary, that there exists a probabilis- 
tic polynomial time algorithm that given a hash key n outputs two pairs 
(mi, ri), (m2, T2) G Ai x QRn such that mi yf m2 and hHK('mi,ri) = 
(^2) ^2), with a probability which is not negligible. Let i be the smallest 
index of a bit where mi and m2 differ (i.e., mi[i] m2[z] and mi[j] = m2[j] 
for all j < i). Such a bit exists due to the suffix-free property of Ad. Since we 
assume that the result of the hash function on (mi,ri) and (m2,r2) is the 
same and that mi[j] = m2[j] for all j < i, and since /o, /i are permutations, 
it follows that 



/mi [i] ® ® /mi [|mi |] (^l) fm,2[i] O • ' ' O [|m2 |] (^2)- 

Thus, we found a pair of values r[ and for which (^2)- 
proven in 0 , the existence of such claws for (/o, /i) contradicts the Factoring 
Assumption. 

3 . Trapdoor collisions: Given a pair (mi,ri) G Ai x QR„ and any additional 
message m2 G Ai, & value r2 G QRn such that hnKi'mi, ri) = hHK('m2', ^2) 
is given by 



r-2 = (/m^Vl °■••°/m2V2|](^^^("^l’^l)))• 

Given the trapdoor key TK = (p,q), the functions ff^, ff^ are computable 
in polynomial time, and therefore the value of r2 is also computable in poly- 
nomial time. It remains to note that since /o, /i are permutations on QRn, 
it follows that if ri is uniformly distributed in QRn then T2 is also uniformly 
distributed in QRn- 

□ 



B Proof of Lemma El 

Proof. 1 . Efficiency: Clearly, given a hash key HK = (p,g,y) and a pair 
(m,r) G Zq X Zq, the function hHK{tn,r) = (mod p) is computable in 

polynomial time. 
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2 . Collision resistance: Assume to the contrary, that there exists a probabilistic 
polynomial time algorithm that given a hash key HK = (j>,g,y), outputs 
two pairs (toi, ri), {m2, T2) € Z^xZg such that toi ^ m2 and hHK{mi,ri) = 
hHK{m2,r2), with a probability which is not negligible. The discrete log of 
y with respect to the basis g can be calculated in polynomial time from the 
output, as follows. Let a denote the discrete log of y. Then 

mi + ari = m2 + a?’2 {mod q). 

The fact that mi ^ m2 {mod q) implies that ri ^ r2 {mod q), and thus ri— r2 
is invertible modulo the prime q. Hence, a can be computed in polynomial 
time as follows. 

a = {r2 — ri)~^{mi — m2) {mod q). 

This contradicts the Discrete Log Assumption. 

3 . Trapdoor collisions: Assume that we are given a hash key {p,g,y) and a 
corresponding trapdoor key a. Given any pair (mi,ri) € Zq x Zq and any 
additional message m2 G Zq, we want to find r2 G Zq such that 

{mod p) . 

The value of r2 can be calculated in polynomial time as follows. 

T2 = a“^(mi — m2) + ri {mod q). 

It remains to note that if ri is uniformly distributed in Zq then r2 is also 
uniformly distributed in Zq. 

□ 

C Proof of Lemma El 

Proof. 1 . Efficiency: Clearly, given a hash key HK = {n,g) and a pair 
{m,r) € Zn X Zx(n)j the function hHK{m;r) = g'^°'^ {mod n) is computable 
in polynomial time. 

2 . Collision resistance: Assume to the contrary, that there exists a probabilis- 
tic polynomial time algorithm that on input HK = {n,g) outputs two pairs 
(mi, ri), (m2, r-2) € Zn x ^A(n) such that ^ 

probability which is not negligible. Denote by a; = mi o ri — m2 o r2 (this 
equality is over Z). x Q since mi m2. The fact that g^ = 1 {mod n) im- 
plies that \{n) divides x. Thus, (j){n) divides 2 a; (Since 4 >{n) = {p—l){q—l) = 
4 p'q' = 2 A(n)). Hence, there exists a probabilistic polynomial time algo- 
rithm, that on input {n,g) outputs a multiple of </>(n). It is known ^ that 
from any multiple of (f){n) the factorization of n can be efficiently computed. 
So we found a probabilistic polynomial time algorithm that solves the Fac- 
toring Problem with a probability which is not negligible. This contradicts 
the Factoring Assumption. 
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3. Trapdoor collisions: Given a hash key HK = (n,g), a pair G x 

and an additional message m 2 G we want to find r 2 G ^A(n) such 
that ^"‘ 1 °’'! = ^"*201-2 (jyiQfi jiy Namely, we want to find T2 G ^A(n) such 
that 2^mi + ri = 2^m2 + r 2 mod A(n). Given the trapdoor key TK = (p,q), 
A(n) can be computed in polynomial time, and hence T 2 can be computed 
in polynomial time as follows. 

T 2 = 2*(mi — m 2 ) + ri {mod A(n)). 

It remains to note that if ri is uniformly distributed in 2^A(n) then r 2 is also 
uniformly distributed in .^A(n) 

□ 



Remark 4- Each r is uniformly distributed in Zx(n)^ &nd thus a polynomial num- 
ber of signatures reveal a logarithmic number of the most significant bits in the 
secret A(n). However, this is not dangerous since the known n and the secret 
4>{n) = 2A(n) have the same bits in their top halves. 



Remark 5. The equation used to find collisions in the second and third trap- 
door hash families look similar, but are based on different security assumptions 
(discrete log vs. factoring). This difference makes it possible to replace the multi- 
plication operation a“^(mi — m 2 ) by the simpler left shift operation 2^ (mi — m 2 ), 
which saves about half the total time. In addition, when the size of the modulus 
is 1024 bits and the size of the (hashed) (mi — m 2 ) is 160 bits, the reduction of 
the 1184 bit result modulo a 1024 bit modulus is about 6 times faster than a stan- 
dard reduction of a 2048 bit product modulo a 1024 bit modulus. Gonsequently, 
we estimate that software implementations of the collision finding procedure will 
be about ten times faster than performing a single modular multiplication of two 
1024 bit numbers. 
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Abstract. In this paper, we propose a novel and efficient protocol for 
proving the correctness of a shuffle, without leaking how the shuffle was 
performed. Using this protocol, we can prove the correctness of a shuffle 
of n data with roughly 18n exponentiations, where as the protocol 
of Sako-Ki]ian [SK!l^ required 642n and that of Ahe |Ah!l^ required 
22nlogn. The length of proof will be only 2^^n bits in our protocol, 
opposed to 2^®n bits and 2^‘*nlogn bits required by Sako-Kilian and 
Abe, respectively. The proposed protocol will be a building block of 
an efficient, universally verifiable mix-net, whose application to voting 
system is prominent. 

Keywords: Mix-net, Permutation, Electronic Voting, Universal Verifi- 
ability 



1 Introduction 

A mix-net |Ch81 j scheme is useful for applications which require anonymity, such 
as voting. The core technique in a mix-net scheme is to execute multiple rounds 
of shuffling and decryption by multiple, independent mixers, so that the output 
decryption can not be linked to any of the input encryptions. 

To ensure the correctness of the output, it is desirable to achieve the property 
of universal verifiability. However, proving the correctness of a shuffle without 
sacrificing unlinkability required a large amount of computation in the prior art. 
For example, |SK95] adopted a cut-and-choose method to prove the correctness. 
Abe jAh^ took an approach to represent a shuffle using multiple pairwise per- 
mutations 0. In practical terms, however, neither scheme is efficient enough to 
handle a large number of ciphertexts, say on the order of 10,000. 

This paper proposes a novel, efficient scheme for proving the correctness of a 
shuffle. We take a completely different approach than that of [ISK95| and EEnni. 
We represent a permutation by a matrix, and introduce two conditions which 
suffice to achieve a permutation matrix. We then present zero-knowledge proofs 
to prove the satisfiability of each condition. Moreover, these two proofs can be 
merged into one proof, resulting in a very efficient proof of a correct shuffle. 

We also present here an analysis of the efficiency of our proof. Our proof 
requires roughly 18n exponentiations to prove the correctness of a n-data shuffle, 

^ Another approach, based on a verifiable secret exponent multiplication is described 
in |Ne()'H . 

J. Kilian (Ed.): CRYPTO 2001, LNCS 2139, pp. 2001. 
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where as the protocol of Sa,ko-Ki1ia,ri |SK9,^ required 642n and that of Ahe jAhhU) 
required 22nlogn. Using the computation tools in Esa , the total computation 
cost necessary in our proof can be reduced to an equivalent of 5n exponentiations. 
The length of a proof will be only 2^^n bits in our protocol, opposed to 2^®n bits 
and 2^'^nlogn bits required by Sako-Kilian and Abe, respectively. 

Our paper is organized in the following way. In Section |21 we present the two 
conditions on a permutation matrix. In Section 0 we give zero-knowledge proofs 
for each of the two conditions, and discuss how these proofs are combined to 
achieve to prove the whole shuffle. In Section Elwe describe our protocol and in 
Section El we compare the efficiency of our protocol to prior work. 

2 Basic Idea 

2.1 Shuffling 

Informally speaking, a shuffling is a procedure which on input of n ciphertexts 
{Ei,E 2 , . . . , En), outputs n ciphertexts {E[, E' 2 , ■ ■ ■ , E'^) where: 

— there exists a permutation (p s.t D{E'P) = for all i. Here, D is a 

decryption algorithm for ciphertexts. 

— Without the knowledge of D or p, {Ei, E 2 , ■ ■ ■ , En), and {E[, E' 2 , . . . , E'^) 
reveal no information on the permutation <p. 

We consider the use of ElGamal cryptosystems, with public keys {p,q,g,y) 
and secret key A G Zq s.t. y = mod p. 0 

Given n ciphertexts {Ei} = {{gi,rrii)}^ where all {gi} and {nii} have the 
order q, shuffled ciphertexts {A-} = {( 5^,™^)} can be obtained by 

g'i = 5’’* • 50-1 W mod p 

TO- = y^' ■ mod p ^ 

using randomly generated {r,}. 

2.2 Permutation Matrix 

We define a matrix (Aq) to be a permutation matrix if it can be written as 
follow using some permutation function (p. 

^ ^ r 1 mod q if p{i) = j 

1 0 mod q otherwise. 

Using this permutation matrix, the equation o is equivalent to 

n n 

(g'i, m') = (5’'* Y[ gf^Py''' mf^') mod p. (2) 

i=i i=i 

In order to prove the correctness of the shuffle, we need to show the following 
two things. 



2 



We assume, as usual, p and q are two primes s.t. p = kq + 1, where k is an integer, 
and g is an element that generates a subgroup Gq of order g in Zp. 
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1. For each pair {((?$, mQ}, the same and (Aij) has been used. 

2. (Aij) used is a permutation matrix. 

The first property can be efficiently shown using a standard technique jHrfldj . The 
contribution of this paper is to present a novel technique to prove the second 
property. 

At first, we concentrate on proving the existence of a permutation matrix 
(Aij) and {r*} when given {gi} and {g-}, s.t. 

n 

9i = ^odp. (3) 

i=i 



We thus need to prove the existence of such a permutation matrix. We be- 
gin by looking at necessary conditions which suffices to achieve a permutation 
matrix. The following is the key observation used to construct the proposed 
protocol. 

Theorem 1. A matrix is a permutation matrix if and only if, 

for all i,j, and k, both 



^ ^ AhiAfij — 
h=l 
n 

^ ^ AhiAfijAfii^ = 

h=l 



1 mod q, 


ifi = j 


0 mod q, 


ifi + j 


1 mod q 


*/* = j = k 


0 mod q 


if otherwise 



( 4 ) 

( 5 ) 



hold. 



Notation 1 For convenience, we define Sij and Sijk(i,j,k = to be, 

respectively, 

ifi = j if i = j = k 

\0 ifi^j \0 if otherwise. 

Proof. We first show that there is exactly one non-zero element in each row 
vector of {Aij) and then, the same for each column vector. 

Let Ci be a i-th column vector of the matrix Then, from 

Equation , we see {Ci, Cj) = 6ij where {A, B) is inner product of vectors A and 
B. This implies that rank{Aij) = n, that is, there is at least one non-zero element 
in each row and each column. Next we consider a vector CiQCj{i ^ j) where the 
operator 0 is defined as (oi . . . a„) 0 (6i . . . 6„) = (ai6i . . . a„5„). Define a vector 
C = arbitrary ki. From the fact {C, CiQCj) = J2i=i = 0 

and linear combinations of {C{\ generate the space Zq", we obtain CiQCj = 0. 
This means for any h,i and j s.t. i ^ j, either Ahi = 0 or Ahj — 0. Therefore, 
the number of non-zero elements in each row vector of {Aij) is at most 1, and 
thus exactly 1. 

From the above observations, the matrix {Aij) contains exactly n non-zero 
elements. Since Ci 0 for all i, the number of non-zero element in each column 
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vector is also 1. Thus, there is exactly one non-zero element in each row vector 
and each column vector of the matrix (A^-) if Equations and © hold. 

The unique non-zero element in j — th row must be ef = 1 mod q from 
Equation @ and ef = 1 mod q from Equation Q • This leads to = 1 and that 
matrix is a permutation matrix over Zq. 

2.3 Outline of Main Protocol 

Using Theorem P the main protocol can be constructed by the following proofs 

Proof-1 a proof that given {gi} and { 5 '}, { 5 '} can be expressed as eq-Q using 
integers {rj} and a matrix that satisfies the first condition. 

Proof-2 a proof that given {gi} and {g-}, {g-} can be expressed as eq.@ using 
integers {vi} and a matrix that satisfies the second condition. 

Proof- 3 a proof that integers {ri} and the matrix used in the above two proofs 
are identical. 

Proof-4 For each pair {g[,m'i), the same and {A^-} has been used. 

In the Section^ we provide protocols for Proof- 1 and Proof-2. 



3 Security of the Protocol 



We will prove that the main protocol is sound and zero-knowledge under com- 
putational assumption. More specifically, for the property of soundness, we can 
claim that if a verifier accepts the protocol, then either prover knows the per- 
mutation or he knows integers {oi} and a satisfying g“ 0 ”=! 9i°^' ~ ^ with over- 
whelming probability. For the zero-knowledge property, we can construct a sim- 
ulator and claim that if there is a distinguisher who can distinguish between a 
real transcript from the protocol and an output from the simulator, then this dis- 
tinguisher can be used to solve the decisional Difhe-Hellman problem. We note 
that to make a shuffle secret, we already assume the hardness of the decisional 
Difhe-Hellman problem. 

In the course of reduction, we use the following arguments. First, we define 
the following set. 

Definition 1. Define i?™ to he the set of tuples of n x m elements in Gq : 



I = 



Am) ( 1 ) 



Am) 



AI) 












We then define the subset Dlff of Riff to be the set of tuples I satisfying 
log^(i) x^f'’ = logjDX^^ modp 
for all i{i = 2, 3, .., m) and j{j = 2, ..., n). 

Definition 2. We define the problem of distinguishing instanees uniformly cho- 
sen from Rff and those from Dff by DDHff. 
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Note that the decisional Difhe-Hellman problem can be denoted as DDH^- 
We claim that for any n and m the difficulty of DDH^ equals to the decisional 
Difhe-Hellman problem, by proving the following. 

Lemma 1. For any n{> 2) and m(> 2), if DDH^ is easy, then DDH^ is easy. 

Lemma 2. If for any n{> 2), DDHf^is easy then the decisional Diffie- Heilman 
is easy. 

Proofs for Lemma Q and 0 are sketched in Appendix \E\ 

4 Proof-1 and Proof-2 

In this section, we give two proofs that will be the building blocks of the main 
protocol. 

4.1 Proving the First Condition (Proof-1) 

The following protocol proves that given {gi} and {g'^}, the prover knows {ri} 
and {Aij} s.t. 



= “Odp 

i=i 

n 

^hiAhj = 5ij mod q. 

h^l 



The main idea is to issue s = ^>^4 Si = a response 

to a challenge {cj} and let the veriher check 

n n 

Si^ = mod q 

i=l j=l 

n n 

= lid'/' modp. 
i=l t = l 

However, this apparently leaks information on A^-, so we need to add ran- 
domizers and commitments. By making the response s = ^"^4 

Si — using randomizers {oi} and a, a veriher needs to check 

the following equation: 

n n n 

i=l j=l j=l 

where Bj and D are quadratic polynomials of {Aij} and a^. Therefore these 
Bj and D, together with 5 “ 0”=! ^41 be also sent in advance to enable 
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verification. We further add another randomizer cr and modify the verification 
equation to be 

n n n 

^ as = ^ c/ + Y^{Bj + urj)cj + {D + aa) mod q. 

i=l j=l j = l 

In order to hide the actual value of cr, {Bj + crrj} and D + aa, this verification is 
computed over exponents. The below gives a complete description of the Proof- 

1 . 

Proof- 1 

Input:p,q,g,{g^},{g'J. 

1. Prover (V) generates random numbers cr, a, Zq and com- 

putes 



w = g'^ mod p 

n 

5' = 5 “ n p 

i=i 

w = g^"=i mod p 

and sends w, g' , {wi}, ri; (f = 1, . . . , n) to V. 

2. V sends back randomly chosen Zq as a challenge. 

3. V computes s = -I- a mod q 

and Si = + CTi mod g(f = 1, . . . , n) and sends to V. 

4. V verifies the following: 

n n 

9" n Pi "' = n p 

i=i i=i 

S y^" . TT . c- 1 

w ^ ^ ^ modp 

i=i 



(6) 



( 7 ) 

(8) 



Properties of Proof-1 



Theorem 2. Proof-1 is complete. That is, ifV knows {rt} and {Aij} satisfying 
the first condition, V always accepts. 

Theorem 3. IfV accepts Proof-1 with a non-negligihle probability, then V 
either knows both {ri} and {Aij} satisfying the first condition, or can generate 
integers { 0 ^} and a satisfying g°~ YYi=i 9i°"' ~ 1 overwhelming probability. 
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A sketch of Proof: Theorem |3 can be proved from the following lemmas, proofs 
of which are sketched in Appendix IRl 

Lemma 3. IfV accepts Proof-1 with non-negligihle probability, then V knows 
{Aij}, {ri}, {ai}, and a satisfying Equations ^ and (Ell- 

Lemma 4. Assume V knows {Aij}, {ri}, {ai}, and a satisfying Equations OD 
and If V knows {si} and s which satisfy Equation and either s ^ 
Y{Jj=i ® or Si ^ some i hold, then V can generate 

non-trivial integers {a^} and a satisfying n”=i 1 overwhelming 

probability. 

Lemma 5. Assume V knows {Aij}, {vi}, {ai}, and a satisfying Equations m 
and ®- If Equations 0 and hold with non-negligible probability, then either 
Equation 0 hold or V can generate non-trivial integers {oi} and a satisfying 
9°“ nr=i 1 overwhelming probability. 

□ 

Theorem 4. We can construct a simulator o/ Proof-1 such that if there is a 
distinguisher who can distinguish between a real transcript from the protocol and 
an output from the simulator, then we can solve the decisional Diffie- Heilman 
problem. 

A sketch of Proof: Given in Appendix ^ □ 



4.2 Proving the Second Condition(Proof-2) 

Analogous to Proof-1, the proof for the fact the prover knows {ri} and {Aij} 

s.t. 

g'i = g'"' n 9^' mod p 

3 

n 

^ ^ AfiiAfijAii}^ — 5ij}^ mod q 

h=l 

for {gi} and {g-}, is given as Proof- 2. 

Proof-2 



lnput:p,q,g,{gi},{g[}. 

1. Prover (V) generates random numbers p, r, a, {ai}, A, {Ai} Zq 
(i = 1, . . . ,n) and computes 



t = g^ ,v = g^,u = g^,Ui = g^' mod p i=l,...,n 

n 

9 = 9°‘Y[gj“^ modp 
i=i 



ii = 9^ 

y 

v^ = g^ 

y 

v = 9^ 



J=1 

J=1 

n 

J = 1 



3otjAji-\-TXi 



3a.j^ Aji-\-pri 
ctj ^+tA+pq; 



mod p i = 1, . . . 
mod p 1 = 1 ,.. 



mod p 



,n 

.,n 



and sends t, v, u, {itij, g' , {U}, {hi}, v {i = 1, ... , n), to V. 
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2. V sends back randomly chosen Gn Zq as challenge. 

3. V computes s = ® mod q, Si — mod q{i = 

1, . . . , n), and A' = mod q and sends to V. 

4. V verifies the following: 



i=i 






5' n p 

i=i 

n 

mod p 
i=i 

n 

V mod p 

i=i 



Properties of Proof-2 

We claim the following properties of Proof-2, which can be proved analo- 
gously to that of Proof- 1. 

Theorem 5. Proof-2 is complete. That is, ifV knows {r^} and {Aij} satisfying 
the second condition, V always accepts. 

Theorem 6. If V accepts Proof-2 with a non-negligihle probability, then V 
either knows both {ri} and {Aij} satisfying the second condition, or can generate 
integers { 0 ^} and a satisfying g°'Y^=i9i°'^ ~ 1 overwhelming probability. 

Theorem 7. We can construct a simulator of Proof-2 such that if there is a 
distinguisher who ean distinguish between a real transcript from the protocol and 
an output from the simulator, then we can solve the decisional Diffie- Heilman 
problem. 

4.3 Constructing the Main Protocol 

In this subsection, we explain how our main protocol is constructed using these 
proof-1 and Proof-2. It should be noted, that these proofs did not have the 
ordinary soundness property. That is, a prover knowing integers satisfying 
g°’ nr=i 9i' — 1 deceive verifiers as if he had shuffled correctly. Since {gi} 
is originally chosen by those who encrypted the messages, there is no control 
to assure that the prover does not know the relations among them. Therefore, 
we fix a set of basis {g,gi, . . .g-n} independent from the input ciphertexts, in 
a way we can assure the relations among the basis unknown. In fact, under 
Discrete Logarithm Assumption, we can make it computationally infeasible to 
obtain such {ui} and a if we generate {g,gi, . . .cjn} randomly |Br93j . This way 
it also suffices the requirement that the verifier should not know log^ g for zero- 
knowledge property. 

We require the prover to perform the same permutation on the set of fixed 
basis as he did on the input ciphertexts. The prover proves that the permutation 
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on the fixed basis {g,gi, . . .gn} is indeed a permutation, and that he indeed 
applied the same permutation to the input ciphertext. 

Using the above methodology, we need not provide Proof-3 described in 
the Subsection EM If a prover knows two different representations of an ele- 
ment using {g,gi, ■ ■ -ffn}, it means that he knows the relations among the base 
{g, gi, ■ ■ ■ gn} which is against the assumption. Proof-4 is achieved using the 
standard techniques described in Einsi. Therefore we are now equipped with 
building blocks to prove the correctness of a shuffle. 

5 The Main Protocol 

In the previous subsection we illustrated our protocol as a combination of proof- 
1 and proof-2, mainly for comprehensiveness. The proofs can be executed in 
parallel, resulting in a three-round protocol with reduced communication com- 
plexity. 

Main Protocol 

lnput:p,q,g,y,g, {g^}, {{g^,rm)}, {{gi,m'^}. 

1. Prover (V) generates the following random numbers: 

(T, p, T, O, O 2 , A, Aj Zg (J' f 5 ■ ■ ■ 5 

2. V computes the following: 



t = g'" ,v = gP,w = g'^,u = g^,Ui = g^' mod p 



n 



gi = n mod p i = 



(9) 



n 



g' = rl[gr^^odp 



( 10 ) 



n 



5' = n p 



n 




3. V sends the following to the verifier V: 

t, V, w, u, {Ui}, {p'}, g', g\ m', {U}, {hj, ii, {wi}, w (i = 1, . . . , n). 
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4. V sends back randomly chosen Gn Zq as a challenge. 

5. V computes the following and sends them to V. 



s = rjCj + a, Si = ^ijCj + ca mod q i = 1, . . . , n 
i=i i=i 

n 

A' = ^ + A mod q 

i=i 

6. V verifies the following: 



n 

n 


n 

= 5' n sT' p 

i=i 

n 


(11) 


n 


= 5' n 9 ^' p 

i=i 

n 


(12) 


i=i 


= to' to' ^ mod p 

i=i 

n 


(13) 




= u mod p 

i=i 


(14) 




n 

= u mod p 


(15) 




n 

= w Wj mod p 


(16) 






Theorem 8. Main Protocol is complete. That is, if V knows {ri} and {Aij} 
satisfying the both conditions of Theorem^] V always accepts. 

Theorem 9. If V accepts Main Protocol with a non-negligible probability, then 
V knows {ri} and permutation matrix {Aij) satisfying Equations or can 
generate non-trivial integers {oi} and a satisfying g°'Y^=\9i°'' ~ 1 over- 
whelming probability. 



Theorem 10. We can construct a simulator of Main Protocol such that if there 
is a distinguisher who can distinguish between a real transcript from the proto- 
col and an output from the simulator, then we can solve the decisional Diffie- 
Hellman problem. 

Proofs for Theorem 0 and EH are sketched in Appendix O 
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6 Discussions 

In this section, we compare the efficiency of the proposed protocol described 
in Section 0 to the SK95 protocol in ISK95I and MiP-2 protocol in IAb99l . To 
enable a fair comparison, we assume the security parameter of |SK95j to be 160 
and lengths of p and q to be 1024 and 160 respectively. 

We first compare them by the number of exponentiations used in each proto- 
col, in the case of shuffling n ciphertexts. These are 22(nlogn — n-|- 1) for Abe’s 
protocol, 642n for the SK95 protocol, and 18n -k 18 for the proposed protocol. 
If we adopt computation tools described in IHsq, such as the simultaneous 
multiple exponentiation algorithm and the fixed-base comb method, the num- 
ber of exponentiations can be heuristically reduced to 11.2(nlog n — n + l),64n, 
and 4.84n + 4.5, respectively. The total number of bits needing to be transfered 
during the protocols is 13,248(nlogn — n+ 1),353, 280n, and 5, 280n -k 13,792. 
The rounded-up numbers are shown in Table E 

Table 1. Comparison of three protocols 





Abe (MiP-2) 


SK95 


This Paper 


No. exponentiations 


22n log n 


642n 


18n 


(heuristically adjusted) 


lln log n 


64n 


5n 


No. communication bits 


2^^‘n log n 


2"“n 





7 Conclusion 

In this paper, we presented a novel method to prove the correctness of a shuffle, 
and demonstrated its efficiency. The proposed method requires only 18n expo- 
nentiations for shuffling n ciphertexts, where as previous methods required 35 
times more, or required a higher order, 0(n log n). 

The proposed protocol can be used to build an efficient, universally verifiable 
voting system where the number of voters can scale up to the order of 10,000. 

Acknowledgments. The authors would like to thank Tatsuaki Okamoto, 
Masayuki Abe, and Satoshi Obana for many helpful discussions. 

References 

[Ab99] M. Abe, Mix-Networks on Permutation Networks, Asiacrypt ’99, LNCS 

1716, 258-273 (1999) 

[Br93] S. Brands, An Efficient Off-line Electronic Cash System Based On The 

Representation Problem, CWI Technical Report CS-R9323, (1993) 

[Ch81] D. Chaum, Untraceable Electronic Mail, Return Addresses, and Digital 

Pseudonyms, Communications of the ACM, Vol.24, No. 2 84-88 (1981) 
[CDS94] R. Cramer, I. Damgard and B. Schoenmakers, Proofs of Partial Knowl- 
edge and Simplified Design of Witness Pfiding Protocols, Crypto ’94, 
LNCS 839, 174-187 (1994) 



An Efficient Scheme for Proving a Shuffle 379 



[HAC] A. Menezes, C. van Oorschot and S. Vanstone, Handbook of Applied Cryp- 

tography, CRC Press, 617-619 

[NeOl] C.A. Neff, Verifiable, Secret Shuffles of ElGamal Encrypted Data, Initial 

version circulated Mar. 2000, current version submitted to ACMCCS 01 
[OKST97] W. Ogata, K. Kurosawa, K. Sako and K. Takatani, Fault tolerant anony- 
mous channel, 1st International Conference on Information and Commu- 
nications Security (ICICS), LNCS 1334, 440-444 (1997) 

[SK95] K. Sako and J. Kilian, Receipt-free mix-type voting scheme -A practical 

solution to the implementation of voting booth. Eurocrypt 95, LNCS 921, 
393-403 (1995) 



A DDH^ and DDH 



Lemma 1. For any m{> 2) and n{> 2), ifDDHf^ is easy, then DDH"^ is easy. 
Proof. We claim that if DDH™ is easy, then either DDH™~^ is easy or DDHf 
is easy. By induction we can prove the correctness of the lemma. 

In order to prove the claim, we define the subset M™ of R™ to be the set of 
tuples 



/ = (x) 



( 1 ) 



Am) .„(!) 



A™) 



^(1) 

, 1 • • • 5 ) 



satisfying 



for all i{i = 



log^(i) = log^iDX^'^ modp 

1 3 

2, 3, .., m — 1) and j{j = 2, ..., n), but whether or not 




log {i)X 

^3 



(m) 

j 



mod q 



holds for all j{j = 2, ..., n) is arbitrary. Therefore, the set D™ is a subset of M™. 

It is clear that if DDH™ is easy, then we can either distinguish between the 
instances chosen uniformly from R™ and M™ or the instances chosen uniformly 
from M™ and D™. In the former case, it means DDH™~^ is easy. We claim in 
the following that in the latter case DDHf is easy. 

Assume M™ and D™ are distinguishable. For any G Rf, s.t. 



7-2 _ / ( 1 ) ( 2 ) ( 1 ) ( 2 ) ( 1 ) ( 2 )^ 

-‘n ’*^1 ^^2 ’*^2 5 • ■ • 5 / 



we transform it to 



C = {x' 



(1) 

1 > 



j(rn) /(I) 



/(m) 



, ,X 



( 1 ) 



, ,X , 



d) 



where 

j = l,...,n{iii = l) 

x'^*^ = < (xj^^)^* mod p j = 1, . . . , n (if 2 < i < m — 1) 

[ xj^^ j = 1, . . . , n (if f = m) 

with randomly chosen { 2 ^i}(i= 2 ,...,m-i) in Zq. 

If is chosen uniformly from then I™ is distributed uniformly in D™, 

and if if is chosen uniformly from Rf, then I™ is distributed uniformly in M™. 

Therefore if D™ and M™ is distinguishable, then we can solve DDHf. 
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Lemma 2. If DDH^ (n > 2)is easy then the deeisional Diffie- Heilman problem 
(DDH 2 ) is easy. 

Proof For any l| = G i? 2 , we transform it to if G Rf 






„/(2) ^/(l) ^/(2) 



^'(1) ^ 



■'?>) 



where 



r'W 



= X 



( 1 ) ^/( 2 ) 



X 






= X 

i^h 



(2) ^/(l) 



X ■ 



= X 



(1) ^/(2) 



X . 



.'(2) 



= {x^i'^y^ ■ {x'y^)'^^ mod p j = 3, . . . , n 



= X 

n(2) 



( 2 ) 



with randomly chosen {z^} and {wj}{j = 3, . . . , n) in Zq. 

If /| is chosen uniformly from Df, then If is distributed uniformly in Df, 
and if if is chosen uniformly from Rf, then if is distributed uniformly in Rf. 
Therefore if DDHf is easy, then so is DDHf. 



B Properties of Proof-1 

In this section, we sketch the proofs of the following theorems. 

Theorem 3 (soundness). If V accepts Proof-1 with a non-negligible proba- 
bility, then V either knows both {ri} and {Aij} satisfying the first condition, or 
can generate integers {ui} and a satisfying g°~ 0"=! 3*°“ ~ ^ with overwhelming 
probability. 

Theorem 4 (zero-knowledge) . We can construct a simulator of Proof- 1 
such that if there is a distinguisher who can distinguish between a real tran- 
script from the protocol and an output from the simulator, then we can solve the 
decisional Diffie-Hellman problem. 

B.l Soundness 

It is clear that Theorem 3 holds if Lemmas 0 El and 0 hold. We therefore prove 
the lemmas. 

Lemma 3. IfV accepts Proof-1 with non-negligible probability, then V knows 
{Aij}, {vi}, {ai}, and a satisfying Equations (0) and (0). 

A sketch of Proof: Define Cp as the space which is spanned by the vector 
(1, Cl, C 2 , . . . , c„) made of the challenges to which V can compute responses 
s, such that Equation (01 holds. If the dim(Cp) = n+1, V can choose 

n + I challenges which are linearly independent and obtain 
{fi}{i=i,...,n)i {c«i}(i=i,...,ra )5 ^^d a which Satisfies the relation: 

n n 

s = rjCj + a. Si = AijCj + mod q i = 1, . . . ,n 
t=i i=i 



Such {Aij}, {ri},{ai}, and a satisfies Equations Q and (0 . If, dim(Cp) < n+I. 
The probability that V generates a challenge in Cp is at most q^~^lq^ = \jq, 
which is negligible. □ 
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Lemma 4. Assume V knows {Aij},{ri}, {at}, and a satisfying Equations 0) 
and If V knows {si} and s which satisfy Equation and either s ^ 
+ Oi or Si ^ some i hold, then V can generate 

non-trivial integers {oi} and a satisfying g°" YYi^i gi°"' = 1 with overwhelming 
probability. 

Proof. The following gives a non-trivial representation of 1 using g, {gi}. 



IL 

Z2j = i SjCj+a-s = i AijCj+oti-Si 

i=l 



1 mod p. 



Lemma 5. Assume V knows {Aij}, {rj}, {at}, and a satisfying Equations 
and (E)). If Equations 0 and 0) hold with non-negligible probability, then either 
Equation 0 hold or V can generate non-trivial integers {oi} and a satisfying 
nr= 1 9i°‘' = 1 with overwhelming probability. 

A sketch of Proof: From Lemma 0 If Equation 0 holds, then either 

' n 

s = VjCj a mod q 

< 

' n 

Si = + Oi mod q i = 1, . . . ,n 

i=i 

holds or V can generate non-trivial integers {oi} and a satisfying nr=i5*“‘ = i 
with overwhelming probability. We concentrate on the former case. If Equation 
(El holds, then 



n n n 



n I n 



^ ^ ^ ^ ^hiAhj Sij)ciCj -f ^ ^ \ ^ ‘^oiijAji avi) ipi 

i=l j = l h=l i=l I j=l 



+ < -I- era) — ip>=0 mod q 

i=i 



where tpi = Yl^=i‘^otjAji ari,ip = + era mod g. If Equation (El 

does not hold for some i and j, then the probability that Equation (0) holds is 
negligible. □ 



B.2 Zero- Knowledge 

A sketch of Proof: We first give a construction of the simulator. We then prove 
that if there exists such a distinguisher then we can solve DDHf,_^_i. From Lemma 
12 it means it is equivalent to solving the decisional Difhe-Hellman problem. 
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The Construction of the Simulator 

We will construct the simulator S of the Proof-1 with the input p, q,g, {gi}, 
{(/'} as follows. 

The simulator S first generates s, {sj}, {cj} Zq, w, {ihi} €r Gq randomly. 
Then it computes g',w as the following. 

n 

9 = g'Yi 9 mod p 
i=i 

E n 

(s^ — C^) TT . —a , 

w — uj y 3 = 1 ^ \\'^j modp 

i=i 



The output of S is {w, g' , {wi}, w, {ci}, s, {sj}) 

A Distinguisher of and 

We will then construct a distinguisher V who can distinguish between the 
uniform instances of and if S can not simulate the Proof-1. 

Let’s say the instance I = \ was chosen uniformly 

from either or R„_f_i. Then this distinguisher will first generate gi,g2, ■■gn 

as the constants used in Proof-1 and let g = 

It will then generate a random permutation matrix (Aji) and compute 

n 

g'i = 4+1 n dt'' mod p. {i=l,...,n) 

i=i 



We note that {g[} gives a random permutation of {gi}. 

Based on g, {gt}, {g'i}, the distinguisher T>' is going to act as a simulator S' 
which simulates the simulator S. More specifically, the simulator S' randomly 
generates s, {si}, {cj} €r Zq and computes 



( 2 ) 

W = x\ 

n 

9' = 9" Y[ 9/' 9 modp 

n 

^3 = “ X] ^ j = 1, ■ • ■ , ^ 

k^l 

n 

Wi = jnod p i = I, . . . ,n 

i=i 



U = = 3 3I 



w = w g 



Wj mod p. 
i=i 



The simulator S' outputs 



w, g', {wj, w, {ci}, s, {si}.(i = 1, . . . , n) 
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Lemma 6. Simulator S' perfectly simulates Proof-1 when I 
Sketch: We let 



1 ( 1 ) 1 ( 2 ) 
log^(i) = ri, log^(i) x{' = a. 

Then it is clear that by randomly choosing {s^} and s, it gives the same 
distribution of the output as when {oi} and a were first chosen randomly, and 
verifier honestly chooses random challenge {ci}. 

Lemma 7. Simulator S' perfectly simulates S when I Gji Rn+i- 

(n\ 

Since {x\ '}(i=i,...,rt+i) are randomly chosen, it gives the same distribution 
when Wi and w are randomly chosen. 

□ 

Therefore, if there exists a distinguisher T> that distinguishes the output of 
the simulator S and a real transcript of Proof- 1, then this distinguisher can be 
used to solve 

C Properties of the Main Protocol 

In this section, we discuss the properties of the main protocol. The completeness 
property is clear. We provide proofs for the soundness and the zero-knowledge 
property. 



C.l Soundness 

Theorem 9. If V accepts Main Protocol with a non-negligible probability, then 
V knows {ri} and permutation matrix (Aij) satisfying Equations or can 
generate non-trivial integers {ui} and a satisfying g°'JXi=i9i°'' ~ 1 over- 
whelming probability. 

A sketch of Proof: 

We can show P’s knowledge of {Aij}, {r^}, {oi}, and a satisfying Equations 
® and (EU from the satisfiability of Equation dD, similar to Lemma 0 From 
the satisfiability of Equations m and (ESI), and additionally that of Equations 
m and m, we can prove that the {Aij} satisfies the both conditions of The- 
orem in a similar manner as proving Lemma 0 Thus Theorem Q ensures that 
(Aij) is a permutation matrix. The following lemma ensures that the same per- 
mutation matrix was applied to both {gi} and {mi} to achieve { 5 '} and {to'}, 
yielding the correctness of the shuffle. □ 

Lemma 8. Assume P knows {Aij},{ri},{ai}, and a satisfying Equations 
and (Eg), and {sij and s satisfying Equation ^ / /j) . If Equations m and m 
hold with non-negligible probability, then either the relationships 
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/ 



n 



5' = 5“ n p 



n 



9 i = ^odp i = l,...,n 



n 



( 17 ) 




n 



m' = 2 /’"* rrij^^* mod p i = 1, . . . ,n 
i=i 



hold or V can generate nontrivial integers {ai} and a satisfying g°' 0"=! 9i°^' ~ ^ 
with overwhelming probability. 

A sketch of Proof: Similarly to Lemma 01 we can ensure that 



If first two equations on Equations does not hold, then the probability that 

Equation (H2J hold is negligible. The same thing can be said for m', 

from the satisfiability of (II .311 . □ 

C.2 Zero-Knowledge 

Theorem 10. We can construct a simulator of Main Protocol such that if there 
is a distinguisher who can distinguish between a real transcript from the proto- 
col and an output from the simulator, then we can solve the decisional Diffie- 
Hellman problem. 

A sketch of Proof: We first give a construction of the simulator. We then prove 
that if there exists such a distinguisher then we can solve DDH^_^_^. From Lemma 
0and|3 it means it is equivalent to solving the decisional Diffie-Hellman problem. 

The Construction of the Simulator 



We will construct the simulator S of the main protocol with the input 
P,q,9,y,9, {9^}, {{ 9 ^,mi)}, {( 5 ',m')} as follows. 




hold from the satisfiability of Equation (H3 unless V can generate non-trivial 
integers {oi} and a satisfying Or^i 5*°’ = 1- 



If Equation holds, then 
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The simulator S first generates s, {s^}, {ci}, A' Zq, t,v,w, {ui}, {U}, 
{ui}, {wi}, {g'i} €r Gq randomly. Then it computes g' , g' ,m' ,u,v,w as the 
following. 



u = g^ Uj mod p 
i=i 

n 

5' = r n >^od p 

i=i 

n 

5 ' = 5 " n 9/^9j~"^ mod p 
i=i 

n 

m' = y® mod p 

i=i 

3 3^ 2 

V = Y[ mod p 

i=i 

n 

w = JJ Wj mod p. 

The output of S is 

{t, V, w, u, {ui}, { 5 '}, g',g', m' , {U}, {vi}, v, {ih*}, w, {c,}, s, {sj, A') . 

A Distinguisher of and R^+i 

We will then construct a distinguisher T>' who can distinguish between the 
uniform instances of and if S can not simulate the main protocol. 

Let’s say the instance I 



T _ .^(2) ^(5) „(1) .^(2) (5) X 

^ ~ ) •''1 ) • ■ • ) •''1 ) • • ■ ) ■^n+1) •''n+D • ■ • ) •''n+li 



was chosen uniformly from either or Rn+i- Then this distinguisher will first 
generate 51, wi, (/2, ^.2, 5n, 51, 32, • • • , ffn as the constants used in Main 

Protocol and let A S/j Zq, g = , g = ,y = g^ mod p. It will then generate 

a random permutation Aji and a secret key X €r Zq and compute 



i9i,m'^ = {x 



(1) 

:+i 



i=i 






n- 

i=i 



*) mod p. (i = 1, . . . ,n) 



We note that gives a random shuffle of {{gi,mi)}. 

Based on g,y, g, {gi}, {{gi,rrii)} and {{g'i,m^)} the distinguisher V is going 
to act as a simulator S' which simulates the simulator S. More specifically, the 
simulator S' randomly generates 



and computes 



{'^i} 1 {c*} j ^ 1 \_Pi\ ^ — 1, . . . , 7T- 
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+ ( 3 ) ( 4 ) ( 5 ) 

Ui = mod p i = 1, . . . , n 

, " _^2 

u = Uj ^ mod p 

i=i 

n 

~ 9 l = raod p i = 

j=i 

n 

g' = 9"Y[g/^9j~‘'^ modp 
i=i 

n 

9 ' = 9" Yi 9 /' modp 

i=i 

n 

m' = j/'* mod p 

j=i 



“i = ^0 ~'YL ^jkCk mod q j = l,...,n 

k=l 

n 

U = mod p i = l,...,n 

i=i 

n 

Vi = mod p i = 1, . . . ,n 

i=i 

n 

Wi = ^ i = 1, . . . ,n 

i=i 

3 3^ 2 

i) = IT(^i 

i=i 

w = mod p. 

i=i 

The simulator S' outputs 

{t, V, w, u, {ui}, {5'}, g',g', m' , {ij, {wj, w, {ii;J, w, {cj, s, {s J, A') . 

Lemma 9. Simulator S' perfectly simulates Main Protocol when I Gr I?^_|_i 
Sketch: We let 



log^(i) a:^+i = n, log^(i)(x,^+\)^* = Ai 
log^(i) = T, log^(l) = p, log^(i) xf ^ = cr. 



This gives for i = 1, .., n, 
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Therefore, it is clear that by randomly choosing s, {sj}, A' and {/?i}, it gives 
the same distribution of the output as when a, {a^}, {A^} and A were first chosen 
randomly, and verifier honestly chooses random challenge {ci}. 

Lemma 10. Simulator S' perfectly simulates S when I €r Rn+i 

Sketch: Since ^xf’\i = 1, 2, ..., n+ 1) and f3i{i = 1, 2, ..., n) are ran- 

domly chosen, it gives the same distribution when g, t, v, w, {g'i}, {ti}, {hi}, {wi} 
and {ui} are randomly chosen for f = 1, 2, ..., n. 

□ 

Therefore, if there exists a distinguisher T> that distinguishes the output of 
the simulator S and a real transcript of Main Protocol, then this distinguisher 
can be used to solve DDH^_^i. 



D Alternative Notation 

We present here an alternative notation of the variables. Since we have discussed 
the basis {g,gi, ■ ■ ■ ,gn} throughout the paper, we can think of representing g 
by go. Similarly y by mo and g hy cjQ. We can include the value of randomizers 
{xi}, ai and a, in the matrix by defining A^i = r^, Ao = C(ij and Aqo = a. 

Treating a public key in a similar manner with input variables may be awk- 
ward, but it gives a compact representation to some of the variables, e.g, 

n n n 

= n = n = n g=Q,---,n. 

iy=0 u=0 

Further suggestions for the alternative notation follows: 

5o = a', w'o = m', 3o = g', sq = s, cq = 1, Aq = A, mq = u 

n n n n ^2 

Sfj, = ^ ^ A = ^ ^ gj/ = 9 u 1 9 ~ \ 

1^=0 i /=0 i /=0 



^ = 0, . . . , n. 
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Abstract. An identity escrow scheme allows a member of a group to 
prove membership in this group without revealing any extra information. 
At the same time, in case of abuse, his identity can still be discovered. 
Such a scheme allows anonymous access control. In this paper, we put 
forward the notion of an identity escrow scheme with appointed verifiers. 
Such a scheme allows the user to only convince an appointed verifier 
(or several appointed verifiers) of his membership; but no unauthorized 
verifier can verify a user’s group membership even if the user fully 
cooperates, unless the user is completely under his control. We provide 
a formal definition of this new notion and give an efficient construction 
of an identity escrow scheme with appointed verifiers provably secure 
under common number-theoretic assumptions in the public-key model. 

Keywords. Identity escrow, group signatures, privacy protection, formal 
model for group signatures. 



1 Introduction 

As digital communication becomes the preferred means of information exchange, 
it becomes ever easier for those of questionable motivation to mine the accumu- 
lated data. Under these circumstances, both the importance and the challenge 
of protecting the privacy of individuals grow considerably. A number of crypto- 
graphic protocols that limit the information dispersed from accumulated data 
have been proposed. These are, for instance, anonymous voting protocols [STTOj . 
anonymous payment schemes [hi 1 8| . and credential systems [91 1 b) . All these sys- 
tems follow the principle of data minimization, i.e., a participant in the system 
can only learn as much information about the other participants as is necessary 
for the system to function properly. 

In this context, group signatures mmi are an important building block. 
They allow a member of some group to sign anonymously on the group’s behalf. 

J. Kilian (Ed.): CRYPTO 2001, LNCS 2139, pp. 3S8- BiTl 2001. 

© Springer- Verlag Berlin Heidelberg 2001 
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Thus, a party receiving a signature can be sure that its originator is a member 
of the group, but receives no other information. However, in exceptional cases 
such as when the anonymity is misused and a legal dispute arises, a designated 
revocation manager has the power to reveal the unambiguous identity of the 
originator of the signature. At the same time, no one can misattribute a valid 
group signature. A concept dual to group signature schemes is that of identity 
escrow ^2] schemes. They can be seen as group-member identification schemes 
with revocable anonymity. In fact, any group signature scheme can be turned 
into an identity escrow scheme and vice versa. 

Group signatures can, for instance, be used by the purchasing department of 
a company to hide the internal structure of this department. All members of the 
department form a group, and sign all purchasing orders using group signatures. 
In case one day a sports car gets delivered instead of pencils, the department 
manager will be able to identify the culprit. Recently, group signature schemes 
were used to realize an anonymous credential system 0. Here, being a member 
of some particular group meant possessing a particular credential. Hence, own- 
ership of a credential can be proved anonymously. Other applications include 
bidding EDI, electronic cash ESI, and anonymous fingerprinting 0. 

Group signature/identity escrow schemes with appointed verifiers, as pro- 
posed in this paper, go a step further: here a group member can prove his mem- 
bership only to an appointed verifier but not to anyone else. There can be several 
different appointed verifiers for each member. This property of not being able to 
convince non-appointed parties is similar to receipt-freeness in electronic voting 
schemes, where a voter must not be able to prove to anyone how she voted, which 
is required to hinder vote-buying. We stress that this is different from the situ- 
ation with so-called confirmer signatures HD or designated-verifier proofs 
where although signatures (resp., proofs) can only be verified by a designated 
party, the signer (resp., prover) would have the power to issue a signature (resp., 
proof) that is universally verifiable. 

Appointed verifiers are useful for many applications of group signature and 
identity escrow schemes. As an example, consider a bank that issues a credential 
stating that the customer is eligible for a small business loan. The bank might 
want to have a guarantee that the customer cannot use this credential in order 
to obtain a better loan from a competing bank; or to use the loan money for 
something other than the business for which it was granted. Or, consider the 
purchasing department scenario outlined above. Naturally, different members of 
the department are authorized to conduct different kinds of transactions. Using a 
group signature scheme with appointed verifiers allows the department manager 
to ensure that employees can only order from the companies they are authorized. 
Finally, consider their use in a credential scheme. It is natural that for some types 
of credentials the user should not be able to show them to anyone except the 
intended verifier. This can be useful in preventing abuse of credentials as well as 
in controlling who can get to know to whom the credentials were issued. 

Let us loosely outline how our identity escrow (group signature) scheme with 
appointed verifiers is constructed. To this end we first explain how efficient and 
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provably secure group signature schemes are realized. The public key of 

the group can be viewed as a public key of a suitable signature scheme. The 
group manager holds the secret key corresponding to this public key. To become 
a group member, a user chooses, as membership secret key, an element of a 
certain (algebraic) group. The user’s identifier is computed as a one-way function 
of this key, for example through exponentiation in a group where computing the 
discrete logarithm is conjectured to be hard. The group manager signs (certifies) 
this identifier and sends back the signature to the new group member. This 
signature is the user’s group membership certificate. To convince a verifier of her 
group membership, a user proves in zero-knowledge that she knows a membership 
certificate and the corresponding membership secret key. In case of a group 
signature scheme, this proof is turned into a signature scheme using the so- 
called Fiat-Shamir heuristic m- An identity escrow scheme constructed in this 
way is provably secure as long as the underlying signature scheme is secure. The 
corresponding group signature scheme is provably secure in the random oracle 
model. The challenge in designing an efficient identity escrow or group signature 
scheme is finding a signature scheme for the group manager and a format for 
membership secret keys and corresponding identifiers such that the proof of 
membership is efficient. 

To extend such a scheme to an identity escrow system with appointed ver- 
ifiers, we will have the group manager split the group membership certificate 
into two pieces. The first piece will be handed over to the user. The second piece 
will be encrypted under the appointed verifier’s public key. It will be easy to 
fake a tuple that looks like the first piece of the membership certificate and the 
encryption of the second piece. Only the appointed verifier, under whose public 
key the encryption is carried out, will be able to verify that a given ciphertext 
corresponds to the second piece of a user’s certificate. Together, the two pieces 
constitute an unforgeable group membership certificate. To prove group mem- 
bership to the appointed verifier, the user could prove possession of his piece of 
the membership certificate as before, and then give the verifier a blinded version 
of the encrypted piece. 

An adversary in this system can try to induce some verifier to accept an 
invalid user; or he can try to make it look as though some honest user participated 
in a shady transaction; or he can conduct a shady transaction and then try to 
avoid anonymity revocation; or he can try to convince another adversary, who is 
not an authorized verifier, that some user is a group member. We provide a formal 
definition of security against such attacks. For the first time, a formal model for 
identity escrow schemes along the lines of an ideal world specification, is given. 
These new identity escrow/group signature specifications are more rigorous than 
the ones that exist to date. As they are similar to the definitions from the 
multi-party computation literature mm, they integrate with this literature 
better than previous specifications did, and so such properties as composability 
of protocols can be better understood in this framework (but we do not address 
them here). Finally, we formally define the appointed- verifier property, i.e., the 
property that no proof system (A, B) exists in which A is a group member, B is 
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not the appointed verifier, and yet A acts as a prover and i? as a verifier for the 
statement that A is a group member, and the gap between the completeness and 
soundness of the system is non-negligible. Cryptographic problems of this flavor 
have not been sufficiently explored. While receipt-free voting is a relatively well- 
studied example EE0|) no formal definition of receipt-freeness has been given, 
and it is not well understood what gap between completeness and soundness for 
the adversary-verifier in receipt-free voting is satisfactory. Thus, we are the first 
to explore this in a formal way and to obtain a scheme that satisfies our strong 
and relatively natural definition. 

We prove that, under the strong RSA assumption, the decisional compos- 
ite residuosity assumption, and the decisional Difhe-Hellman assumptions, our 
scheme is secure and has the appointed verifier property. 



2 The Model 

In this section, we define an ideal identity escrow scheme with appointed ver- 
ifiers. Here, an ideal trusted third party takes care of the proper functionality 
of the system. Our model captures all the properties of previous ones (without 
appointed verifiers) in a natural way. We then define what it means for a real 
system to match this specification. We define the system with one group and one 
revocation manager; extending it to multiple ones is straightforward. Extending 
the model to group signatures can be done as well. 



The Ideal System. The ideal system, the functionality of which is ensured by 
an ideal trusted party T, is as follows: 

Ideal parties: The trusted party T, the group manager M , a set of users U, a set 
of verifiers V, and the anonymity revocation manager R. 

Ideal communication: All communication is routed through T. If the sender of 
a message wishes to be anonymous, he requests that T not reveal his identity 
to the recipient. Finally, a sender of a message may request that a session, i.e., 
a block of messages, be established between him and the recipient. This session 
then gets a session id sid. 

Ideal operations for a general identity escrow scheme: 

Join. This operation is a session between a user U and the group manager M. 
M tells T that it wants user U to become a member of the group. The user 
confirms that he wants to be a member. Upon receiving this messages from 
M and U, T sends a key Kjj to U for further transactions related to his group 
membership; he also notifies M of the success of the transaction. 
Authenticate. This operation is a session between a user and a verifier V . The 
user must send a tuple {K, sid, V, con) to T, where K denotes a key, sid denotes 
a session id, V is the name of the verifier, and con is the condition under which 
the identity of the participating user can be established. T verifies that K 
is a key that corresponds to some group member (not necessarily the user 
from whom the request originates). If so, T tells the verifier V that the user 
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with whom the verifier has session sid running is a member of the group. V 
then either accepts or rejects, and forwards his reply to T. (If T receives no 
reply that is equivalent to rejecting.) T then notifies the user of the verifier’s 
output. 

Identify. This operation is a session between the revocation manager R and the 
verifier V. V submits a tuple (sid, con) to T and to R. R asks T to confirm 
that sid was an Authenticate operation with revocation condition con. Then 
R may ask T to reveal to R the identity of the user who participated in session 
sid. Finally, R may ask T to reveal the user’s identity to V. 

Ideal operations for an appointed-verifier identity escrow scheme: 

Join with appointed verifier. This operation is a session between a user U and 
the group manager M. As a result, M tells T that user C/’s membership can 
be confirmed to verifier V . The user receives a key Ku from T for further 
transactions related to authenticating his group membership to V . 
Authenticate to appointed verifier. This is the same as in the general scheme, 
except that T will only carry this out with the appointed verifier V. 

Convert. This operation is between a user and the appointed verifier V. V tells 
T that the user is now authorized to demonstrate group membership to other 
verifiers. T notifies the user of that fact. 

Authenticate. This is the same as in the general scheme, except that T will only 
carry this out if the user is authorized to demonstrate group membership to 
all verifiers. 

Identify. This is the same as in the general scheme. 

Inputs and outputs of the ideal players: The ideal players are interactive prob- 
abilistic Turing machines. Prior to initiating a transaction, a player receives an 
input that tells it to do so. These inputs are produced externally. At the end of 
the lifetime of the system, each player outputs a list of interactions in which this 
player has participated and their outcome (success/failure). 



The Real System. We make the following assumptions on the communication 
in the real-system: We are in the public-key model, i.e., each user has carried 
out a proof of knowledge of his secret key at the beginning of the lifetime of the 
system. It is possible to establish a session between an anonymous user and a 
verifier (in practice, this can be achieved by a so-called mix-network [El or by 
onion-routing protocols m- The information transmitted over a channel cannot 
later be retrieved by some physical means (i.e., it does not stick around in routers 
and caches). This is necessary to make sure that one cannot demonstrate that 
one sent or received a given message. This can also be achieved in conjunction 
with the methods to get anonymous communication, e.g., by requiring the hosts 
to delete all processed data. The real system is implemented by cryptographic 
protocols. 
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Security vs. Appointed- Verifier Property. The usual way of defining se- 
curity of a real system is to restrict the power of the real-world adversary to the 
power of an adversary that controls the same set of players in the ideal system. 
Security in this sense is exhibited by providing a simulator that translates the 
real-world adversary into one in the ideal world. Here, in addition to providing 
security in this sense, we have to also allow for the case where there are two 
adversaries, such that one is trying to convince the other of his relationship with 
other players. Therefore, two security properties must be satisfied. 



Protecting the Honest Players. First, we have to guarantee simulator-based 
security for the honest parties. 

The ideal- world (resp., real-world) adversary is a probabilistic polynomial- 
time Turing machine that can control some subset of ideal (resp., real) parties 
and participate in transactions on their behalf. In addition, the adversary con- 
trols the environment, i.e., he either explicitly gives input to other players as to 
the transactions to be carried out, or he specifies the probability distribution on 
these inputs. 

At the end of the lifetime of the system, each player outputs the entire list 
of interactions in which this player has participated and their outcome (suc- 
cess/failure). 

Let the ideal system be called IS, and its cryptographic implementation be 
called CS. Let p = poly(fc) be the number of players in the system with security 
parameter k. Let Zi denote the output of the z-th player. In the real world, a 
public-key infrastructure has been securely set up (i.e., each party has produced 
a public key and proved knowledge of the corresponding secret key). Let P 
denote its public information; let a denote the collection of dishonest players’ 
secret keys. (In case we are working in the absence of the public-key model, 
these are empty strings.) An identity escrow scheme is secure if the adversary A 
cannot distinguish whether he is interacting with the real-world honest players, 
or if in fact the system is implemented in the ideal world (so all the honest 
players are shielded because T protects them) and he is just interacting with a 
simulator. More formally, with “I?i(l^) « 1)2(1^)” denoting the computational 
indistinguishability of the distributions D\ and D2 : 

Definition 1 (Secure identity escrow scheme). CS is secure if there exists 
a simulator S (ideal-world adversary) such that for all interactive probabilistic 
polynomial-time real-world adversaries A, for all sufficiently large k, we have: 

- In the IS, S controls the same set of players as A does in CS. 

- The inputs given by S to the ideal-world players are identical to those given 

by A to the real-world players. 

- For all P, 



({Zf^(l^ P, Si)}Ll,- 4 (l^ P, a)) « ({Zf (l^ P, Si)}t^,S^{l\P, a)) 



IS( 



where S is given black-box access to A. 
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Comparison with previous models. It is easy to see that this ideal model 
captures the requirements correctness, anonymity, unlinkability, traceability, ex- 
culpability/framing, and coalition-resistance of previous models (e.g., @), i.e., 
that the trusted party T ensures them. 



No Benefits for Dishonest Players that Mistrust Each Other. Infor- 
mally, an identity escrow scheme is appointed-verifier if only the appointed ver- 
ifier can be persuaded that a user is a member of the group. A formal definition 
is more complex. Formally, we have two adversaries, A and B, and A tries to 
convince B that some player A it controls is a group member, even though B 
does not control the appointed verifier V . The appointed verifier property of the 
scheme makes it impossible for any proof system (A,B), where A acts as prover 
and B as verifier, to have a non-negligible gap between the completeness and the 
soundness of the system. However, in defining this property, we have to take into 
account that (!) B can apply to V to tell him whether a given user is a group 
member; and (2) B can become convinced of the truth of the statement by means 
that are independent on the system’s implementation: for example, if A is the 
only user in the system, and V flashes a green light every time it recognizes a 
group member. Thus, a formalization of the appointed verifier property is bound 
to be technically involved. 

The approach we will take to defining it is as follows: we will require that 
for any A, there exists an efficient T> such that whenever A can convince B 
that A has group membership with appointed verifier V, T> can convince B of 
the same statement without access to group manager’s M’s messages pertaining 
to the corresponding Join operation. We will call U the deceiver, because it 
can deceive any verifier B. However, T> is not responsible if B has other ways, 
implementation-independent, of getting convinced. That is why, in the definition, 
we need an additional efficient machine, J-, called the filter, which sets up the 
relevant group membership on behalf of A, but shields T> from this information. 
J- guarantees that group manager M and verifier V have the same view whether 
A has a valid membership certificate or one faked by T>. Intuitively, if B cannot 
distinguish whether he is talking to A, or to the deceiver T>, but can still tell 
whether or not A is a group member with appointed verifier V, then B’s way 
of telling is implementation-independent, and arises from the way other parties, 
such as M and V, behave. We now proceed to formalize this idea. 

Let A and B be the two adversaries, modeled by probabilistic polynomial- 
time interactive Turing machines. Let ES denote an event sequence in the cryp- 
tographic identity escrow scheme. We write for a machine C to denote the 
fact that these events may be scheduled one-by-one, maybe even by an adversary. 
Let P denote the public information of the public- key infrastructure. Let a de- 
note the set of secret keys of the players controlled by A. Let a' be an additional 
input to A. By A G A we denote that A is a player controlled by adversary A. 
Let L C {(A, V) : A G A, H ^ A, E ^ S} be a list of user- verifier pairs that is 
given as a challenge to B. We say that such a list L is good for ES, A and B, if 
in the sequence of events specified by ES, for all (A, V) G L, V never performs 
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the Convert and Identify operations for A and B and V have not engaged in the 
Authenticate with appointed verifier protocol in which V accepted such that a 
subsequent Identify operation, if carried out, will point to A. 

Let L, a, mode), , P, L, a, mode) be interactive Turing ma- 

chines. The mode part of their input specifies their behavior as follows: There 
are two modes of operation, the real mode and the fake mode. In the real mode, 
T passes the messages received from ES on to 2?, which in turn passes them on 
to A. If A sends any messages to B, V faithfully passes them. 

In the fake mode T behaves as follows: If a session sid is a Join with appointed 
verifier of user A G ^ for verifier V, where {A, V) G L, then T does not pass 
^’s messages for sid to M, and does not forward M’s replies to A for this 
sid. Instead, T carries out the Join operation himself, on behalf of A, possibly 
guided by additional input from T>. It then notifies T> whether this Join was 
successful. If a session sid is an Authenticate to appointed verifier between A 
and V such that {A, V) G L and the corresponding Join has taken place, then P 
does not pass ^’s messages for sid to V, and does not forward V’s replies to T> 
for this sid. Instead, T carries out the Authenticate operation himself, on behalf 
of A, possibly guided by additional input from V. It then notifies V whether this 
Authenticate was successful. For all other sessions, P just passes all the messages 
to and from T>. 

In the fake mode, T> behaves as follows: For a session sid of Join with ap- 
pointed verifier for user A and verifier V where {A, V) G L, T> will create fake 
messages and send them to A in place of the group manager’s messages. For 
a session sid of Authenticate to appointed verifier T> will decide whether this 
session is between user A and verifier V, {A, V) G L. In case it is, T> notifies P, 
and possibly sends it additional information. T> will then create messages to A 
in place of V’s responses. For all other sessions, T> passes all the messages to and 
from A. 

We stress that T> does not have the ability to reset B. 



Definition 2 (Appointed verifier property). An identity escrow scheme has 
the appointed-verifier property if there exist polynomial-time algorithms T>, P 
as described above, such that for all probabilistic polynomial-time (in their first 
input) adversaries A,B, for all P, a! , b, for all sequences of events in the system 
ES, and for all good lists L, 






.'»(iFp,L.a.reaO(^fe^ P, L, a, real) « 
(i'‘-'»(P,P,L.a./afce)(lfc^ a Jake) 



3 High-Level Presentation of Our Construction 

First, a public-key infrastructure is set up in which each user has a secret key 
X and, based on this secret, an identifier where /i is a generator of some 
group G. Other players in the system have their public keys set up as follows: 
The group manager’s public key is a modulus n = pq such that p = 2p' -\- 1 and 
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q = 2 q' + 1, and p,q, p' and q' are all prime numbers, and five quadratic residues 
modulo n, denoted (00,01,02,03,04). (The length of n depends on the size of 
the group G.) Each verifier has a public key for the Paillier cryptosystem. A 
revocation manager R for this scheme will have a Cramer-Shoup public key in 
G. The specifics of how these keys are set up are described in Section o 

For a user with secret key x, a group membership certificate for an appointed 
verifier V , will be a quin-tuple (s, Z, c, u, e) such that each of these values lies in 
the correct integer interval, = (ooof 02.^04)^ holds, and c is the encryption 
of the value logj,^ Z mod n under E’s public key. We show that such a certifi- 
cate is hard to forge under the strong RSA assumption and the 

assumption that computing discrete logarithms modulo a modulus of this form 
is hard. On the other hand, if c is not an encryption of log^^ Z mod n, then this 
certificate is easy to forge (Lemma|3|) . As E is the only entity that can check this, 
under the assumption that the Paillier cryptosystem is semantically secure, this 
is the first key step towards obtaining the appointed verifier property (the other 
key step is discussed at the end of this section) . The fact that c is included in the 
certificate implies security for the verifier against adaptive attacks even though 
the Paillier encryption scheme as such is not secure against these attack^. This 
membership certificate is issued via a protocol (between the user and the group 
manager), that does not allow the group manager to learn x and s, but only 
and afaf mod n. This protocol is described in detail in Section 

To prove group membership to V, the user blinds c to obtain c', and blinds 
Z to obtain Z' in such a way that, if c is the encryption of log^^ Z, then c' is 
the encryption of log^j^ Z'. This is why we use the Paillier cryptosystem: the 
additive homomorphism property of the Paillier scheme is crucial for this step. 
c' and Z' are given to the verifier. Further, the user proves knowledge of a tuple 
(x, s, c, Z, u, e, r) such that (s, Z, c, u, e) is a group membership tuple for key x, 
and r is the randomizer used to blind (c,Z) to obtain (c',Z'). In addition, to 
enable anonymity revocation, the user provides an encryption E of his identifier 

under the anonymity revocation manager’s public key and proves that E is 
a valid encryption of an identifier that is based on the same x as the group 
membership certificate. These proofs are done using efficient statistical zero- 
knowledge discrete-logarithm-based proofs of knowledge. The fact that these 
proofs are zero-knowledge and that the user blinds c and Z give us anonymity 
for the user. These proofs are described in detail in Section 15.. ’ll Finally, the 
verifier checks that (1) d is an encryption of log^j^j Z' , and (2) the user carried 
out the proofs correctly. If so, the verifier accepts. 

To convert an appointed-verifier membership certificate into a universally 
verifiable membership certificate, the appointed verifier reveals log^a Z' to the 
user. Under the strong RSA assumption and the hardness of discrete logarithms 



^ This step resolves the following paradox: On the one hand, we want the encryption 
scheme to be malleable, so that the user can successfully blind the ciphertext c. On 
the other hand, we want it to be secure against adaptive attacks by malicious users. 
Thus c is created by the group manager. 
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modulo n, the resulting tuple, {x,s, z,c,u,e) is hard to forge (cf. full version of 
this paper cni). 

Let us finally discuss the second key element to achieve the appointed verifier 
property: requiring a user to verifiably encrypt, under her own public key, some 
of the secrets she uses in the Authenticate to appointed verifier protocol. This is 
necessary as, in essence, the definition for this property requires that no matter 
how adversary A behaves, and no matter how often and when A and B exchange 
messages, there is nothing A can convince B of that T> (in fake mode) would 
not be able to convince him of either. Running in fake mode requires T> to 
know a great deal about the internal information of A. Traditionally, this would 
be realized by allowing T> black-box access to A and the ability to rewind it. 
However, as we allow message exchanges between A and B at arbitrary times, 
arbitrarily interleaved with other executions, this is not possible as it would 
require T> to have black-box access to other players as well (in particular those 
controlled by B). Thus, T> must somehow contain a knowledge extractor that 
does not rewind A. T> will instead extract what it needs to know from the 
verifiably encrypted secrets. Thus, we need the public-key model: in this model, 
A and, as a consequence, T>, will receive as input the secret keys of all the players 
controlled by A. 

4 Preliminaries 

4.1 Proof Protocols and Corresponding Notation 

We use notation introduced by Camenisch and Stadler m for the various proofs 
of knowledge of discrete logarithms and proofs of the validity of statements about 
discrete logarithms. For instance, 

PiL{(a, /?, 7) : y = A y = A (m < a < u)} 

denotes a ’'''zero-knowledge Proof of Y^nowledge of integers a, f3, and 7 such that 
y = g°‘h^ and y = g°‘hA holds, where v < a < u,” where y,g,h,y,g, and h are 
elements of some groups G = {g) = (h) and G = (g) = (h). By convention, the 
Greek letters denote quantities the knowledge of which is being proved, while all 
other parameters are known to the verifier. Using this notation, a proof-protocol 
can be described by just pointing out its aim while hiding all details. 

It is important that we use protocols that are concurrent zero-knowledge. 
They are characterized by remaining zero-knowledge even if several instances 
of the same protocol are run arbitrarily interleaved I22IES]. Damgard shows 
that so-called U-protocols (this includes all the PAT’s discussed above) can easily 
be made concurrent zero-knowledge in many practical scenarios, including the 
public-key model. We assume throughout that the latter technique is used with 
all PAT’S. 
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4.2 Proving That a Commitment Contains a Paillier Encryption 

Our scheme requires a proof that some value e is a Paillier encryption |34K35| of 
a value x that the prover knows, under a given Paillier public key {g,n), and a 
similar proof where the ciphertext e is not given as input to the verifier; instead 
only a Pedersen commitment m to ciphertext e is given. Protocols for carrying 
out the former proof have been realized m The latter proof is, to the best of 
our knowledge, not found in the literature and is constructed as follows: 

Let {g,n) be the public key of Paillier’s encryption scheme. Assume that we 
are given a group G = (g) = (h) of order n^. Let E be the commitment to a 
ciphertext, i.e., E = g^h^ where e = g^r'^ mod . Using the protocol denoted 
PAT{(a,/3, 7 ) : E = g^ ^ h?} the prover can convince the verifier that if is a 
commitment to a Paillier encryption of some value she knows. The protocol is 
as follows. 

1. The prover chooses ri and r 2 ,r^ i computes t = and 

sends t to the verifier. 

2. The verifier chooses a cGr {0,1} and sends c to the prover. 

3. The prover computes s = ri — ca; mod n, u = mod and v = 

T 3 — czg'^u^ mod v? and sends s and u to the verifier. 

4. The verifier checks whether t = if c = 0 and whether t = 

otherwise. 

It is easy to see that the proof is correct and honest-verifier zero-knowledge proof 
of knowledge. 

4.3 Verifiable Encryption 

Verifiable encryption PE], is a protocol between a prover and a verifier such that 
as a result of the protocol, on input public key E, and value v, the verifier obtains 
an encryption e of some value s under E such that (w,y) G TZ. For instance, TZ 
could be the relation {w,g^) C hq x G. Generalizing the protocol of Asokan et 
al. P, Camenisch and Damgard El provide a verifiable encryption scheme for 
a class of relations that, in particular, includes all discrete-logarithm relations 
that are of relevance in this paper. We denote verifiable encryption similarly 
as the FAT’s, e.g., e := UF(EIGamal, (rt, : y = g^} denotes the verifiable 
encryption protocol for the ElGamal scheme, whereby log^ y is encrypted in e 
under public key (u,v). Note that e is not a single encryption, but the verifier’s 
entire transcript of the protocol and contains several encryptions, commitments 
and responses of the underlying PK. 

5 An Identity Escrow Scheme with Appointed Verifiers 

5.1 Key and System Setup 

Our protocols are realized in the public-key model, thus the initial setup is the 
public-key infrastructure in which each user has a public key and has proved 
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knowledge of the secret key to some entity, say the CA. Specifically, some group 

= ( 5 ) = (^) of prime order g, such that log^ h is unknown. Also, each user 
has a secret key a,n x Zq, and a corresponding public key Sjj = ■ The user 

has submitted this Sjj to the CA of this public-key infrastructure and and has 
executed PK{{a) : Su = /i“} with the CA. The CA sends the user a signature 
on Sjj and publishes Sjj and the user’s name. 

In addition, to get security in case the protocols are executed concurrently, 
we assume that all zero-knowledge proofs {PK) are carried out using the con- 
struction due to Damgard m This requires to initially set up public keys for a 
trapdoor commitment scheme. 

Other security-related system parameters are as follows: the length of the 
RSA modulus of the group manager, integer intervals T = ] — 2^^ , 2^^ [, A = 
] - 2^^ , 2^^ [, A = [ such that q <2^’', £a = e(4£„ -fi 3) and = 2^„, 

where e > 1 is a security parameter, and £a > ^i;-l-^zi-l-4 . Furthermore, let £„ be 
the length of the RSA modulus of the verifier for Paillier’s encryption scheme PS|- 
We require that 2iy < ip holds. There further are £z and C with £z > ef ^ + 1 
and -I- e£r + 1 < £v Define the integer intervals f? =] 2^’‘ — 2 ^^ , 2^‘ P 2^'" , 
^ =] - and 17' =]2^- - 2<=^-+i, 2^^- -fi {C must be large enough 

to make computing an f^-bit discrete logarithm modulo an £„-bit RSA modulus 
hard, where the modulus is the product of two safe primes.) 

The public key of the group manager consists of an ^j,-bit RSA modulus 
n = pq = {2p' + l){2q' + 1 ) that is the product of two safe primes, and random 
elements 04 , 03 , 02 , ai, oq, g, h Gp QRn of maximal order. The factorization of n 
is the group manager’s secret key. The revocation manager sets up his public 
and secret key for the Cramer-Shoup encryption scheme |22j over G (i.e., the 
group that comes from the public-key infrastructure), i.e., Xj , ... ,x^ hq are 
the secret keys and {yi := g^^h^^,y 2 ■= '■= g^^) constitutes the public 

key. The revocation manager also publishes a collision-resistant hash function 

H. 

Each user also publishes an .^„-bit RSA modulus njj that is the product of 
two safe primes and two generators gjj and hjj of QRn- 

Each appointed verifier chooses a public key {n-u, gv) of the Paillier encryption 
scheme, where is an £y bit RSA modulus and g^ = 1 + riy (mod n^). The 
verifier also publishes G = (g) = {h) of order n^. 

5.2 Joining with Appointed Verifier 

In this protocol, aside from the public information, the user’s input will be a 
secret key x G P and her identifier Sjj and her output will be a membership 
certificate tuple {s, Z,c,e,u) w.r.t. an appointed verifier V such that s Gr A, 
c is the encryption of z = log^j^ Z mod n under V’s Paillier public key, z G f2, 
e G A a prime, and u® = a^Za^afao mod n. The group manager’s input will be 
his secret key and all the public information in the system. His output is the 
user’s identifier Sp = and also the values S = afaf , z, c, e, u. 
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A secure two-party protocol that has this functionality is as follows: 

1. User chooses a value si Gr A. The integer si will be the user’s contribution 
to s. Gr {0, are also chosen. User sets C\ := mod n and 

C2 ■= mod n, sends C\, C2, Sr, and the CA's signature on Sr to the 

GM, and serves as the prover to verifier GM in 



PK{{a,(3,-i,5) : Cf = {g^T{h^f A C| = A 

Sr = Jg a a g a a 'y g r} . 



2. GM checks the UA’s signature on Sr, chooses a random S2 Gr A and sends 
S 2 to U. 

3. The user computes s = (si -I- S 2 mod (2^^+^ — 1)) — 2^^ -|- 1, (s is the sum 
of Si and S2, adjusted appropriately so as to fall in the interval A) and 
s = [ 2/i+i^ii J (s is the value of the carry resulting from the computation of 
s above). The user then sets S := afaf and sends S to GM. 

4. Now, the user must show that S was formed correctly. To that end, she 
chooses Tg Gr {0, 1}^”, sets C3 := g’^h'"‘, sends C3 to GM, and executes 



PK{{a,P,-i,5,e,C,^,0 ■ Cl = {g^r{h^f A d = {gy{e)< A 
52 = {ainalV A = {g^)\h^f A 

Sr = hC A yST A 'd G A} 



as prover with the GM. 

5. GM chooses z Gr G, a, prime e Gr A, computes Z := a§ and u := 

{ala^SagyC (mod n), encrypts z under the public key of the appointed ver- 
ifier, i.e., chooses a random r Gr and computes c := (mod nl). 

GM sends Z, u, e, and c to U. 

6. User checks whether it® = a^Za^afao (mod n), e G A, and c G Z„2. 

7. GM proves to the user that c indeed encrypts log^j^ Z and that this value lies 
in 17. To this end GM chooses f Gr {0, 1}^”, computes Z := gfjhlj, sends Z 
to U and carries out the protocol 

PK{{a,(3,-t,5) ■. Sr = hZ V (c = (modn^) A 

Z^ = (03)“ (modn) t\ ZS' = (modn;/) t\ a G 17)} 

as the prover with the user. 

8. GM stores S, Sr, u, e, c, z and the user’s name in its database. 

9. GM and the user go home, listen to music, and have coffee, tea, and cake. 

Remark: In step Q the GM proves that it knows either the user’s secret x = 
log^ Sr or that c is an encryption of log^,^ Z so as to leave no evidence to the 
user that the protocol took place. 
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5.3 Authenticate to an Appointed Verifier 

This is a protocol between a user and an appointed verifier. The user’s input 
is the public information, the membership certificate issued as described above, 
and a revocation condition con which specifies under which conditions the user’s 
identity may be discovered. The verifier’s input, aside from the public informa- 
tion, is his Paillier secret key. The verifier’s output is con, and an encryption 
of the user’s identifier under the revocation manager’s public key with condi- 
tion con. The verifier accepts if the user succeeds in proving knowledge of a 
valid membership certificate, and in proving that this membership certificate 
was issued to the user whose encrypted identifier is provided. The protocol is as 
follows: 

1 . The user and the verifier agree on a revocation condition con. 

2 . The user first blinds the ciphertext c, i.e., chooses random fi €_n and 

^2 Gi? and computes c := (mod n„) and Z := ZaJ^^ (mod n), 

then sends c and Z to the verifier. 

3 . The user computes a blinded public key for use with verifiable encryption, 
i.e., she chooses a random w Gr Zg, computes u := h'^ and v := (hence 
V = ii^), and sends ft, v to the verifier. 

4 . The user chooses ri,r2,r3 Gr Z„2 and r Gr Z„2 and computes Ti = 

mod n, T2 = mod n, T3 = mod n, and T = '’2 ” /i’’ . (Ti 

serves as a blinded u, and T2 is an additional commitment which will be used 
to prove that Ti was formed correctly. T and T3 are needed to show that 
the ciphertext c was blinded in the same way as Z.) Then the user computes 
the encryption E of his identifier under condition con, as follows: he chooses 
T4 Gr Zq and sets E := (Ei, E2, E3, E4), where Ei := g^^, E2 := h'^*, 
Es := Ei := y^4y^4«(iSi||£;2||B3l|con)^ (Ti, T2, T3, f, £^) 

to the verifier. 

5 . The user serves as prover to the verifier in 

VE{BGama\,{ii,v)){{Q,§,<;) : f = A = {g'^f{hy A i) G 

and in 



PK{{a,P,j,6,C,e,g^,^,R,g,i;,^,<;): 1 = (T|)“( A 



a. 



u-i u-2 ^4 'V 

T^ = {g^f{hy A f = A i = A u = hZ A 

Ei=g^ A E2 = h^ A E:^ = E'yl A ^14 = A 

a G A A 13 G A A i> G r A § G '!> A if G [l,nl - 1]] . 



6. The verifier decrypts c to get z and checks whether Z = (mod n) and 
whether z G f2'. 
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Let us consider the efficiency of the above verifiable encryption protocol. Re- 
call that verifiable encryption works by repeating the underlying PK sufficiently 
many times, e.g., fc = 80 times. Assuming that exponentiation with a 2£„-bit 
modulus corresponds to about 8 exponentiations with an £n-hit modulus, the 
total computational load of both the prover and the verifier for the verifiable 
encryption protocol amounts to 17k exponentiations with an ^„-bit modulus 
and about 42 exponentiations with an £„-bit modulus for the PK. On the ver- 
ifier’s side, this load can be considerably reduced by applying so-called batch 
verification 



5.4 Convert and Authenticate 

This paragraph briefly discusses how an appointed verifier can convert an ap- 
pointed-verifier membership certificate into an ordinary membership certificate 
and how a group member can then convince anyone of her group membership. 

To convert a certificate, the user and the verifier first carry out the authenti- 
cate with appointed verifier operation. If this operation is successful, the verifier 
can provide the user with the decryption of c. This will allow the user to com- 
pute the value z encrypted as c. Thus she holds values {x, s, z, c, u, e) such that 
= (a^a^a^afao)'^ mod n, i.e., a valid group membership certificate. Proving 
possession of this certificate, i.e., authenticating as a group member to any ver- 
ifier, can now be done similarly to the way it is done for an appointed verifier 
above. The only difference is that there is no encryption c and no commitments 
T3 and T, and hence the corresponding parts in the proof-protocol are dropped: 
First, steps 2 and 5 are no longer needed; second, in step 4 the verifiable en- 
cryption protocol is not needed and in the PK the first term of the expression 

proved is replaced by Oq = while the terms 

Oj-y Oj<2 Q-g ^4 ^ 

T| = {g‘^Y{hfy, g® = T'^h'^, V = u" , and u = K* are dropped. The fact that 
the verifiable encryption protocol is no longer needed makes the whole protocol 
much more efficient as it was the bulk of the computational load. 



5.5 Anonymity Revocation 

Upon a request E = {Ei, E 2 , E 3 , E 4 ) and con, the revocation manager checks 
whether E 4 = ^;-i+-3W(Bil|i^2||B3l|con)^..+.4W(£;i||B2||£3l|co.) whether the 

revocation condition con is fulfilled. If these checks succeed, he returns S := 
E^/Ef^. If E was produced in an Authenticate to an Appointed Verifier or an 
Authenticate protocol, S will match the identifier Su of the user who took part 
in the protocol. 

5.6 Proof of Security and Appointed Verifier Property 

We outline how security is proven and state the important theorems and lemmas. 
For details and all the proofs we refer to the full version of this paper m- 
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Protecting the Honest Players. Security for the honest players is proven by 
providing a simulator that satisfies Definition ^ The simulator will create cryp- 
tographic instantiations for the honest parties. For every transaction between 
the adversary and an honest party, the simulator will execute its cryptographic 
part on behalf of these honest parties. If the cryptographic implementation of 
a protocol prescribes that a real-world honest player should behave in a way 
that is different from the underlying ideal-world player, then the simulator re- 
jects. (This can happen if an adversary succeeds in proving group membership 
in such a way that the simulator is unable to extract a secret key to which a 
membership certificate was issued in a previous transaction. As a result, an ideal 
trusted party would tell the ideal verifier to reject the adversary’s user, while the 
cryptographic implementation would dictate the real-world verifier to accept.) 

This simulator is constructed m in the usual way, with the following sub- 
tle difference: in the Authenticate protocol, when an honest user interacts with 
a dishonest verifier, the simulator does not get to know which user it is and 
hence does not know which user to simulate towards the the verifier. There are 
two cases to consider here, one where the revocation manager is honest and one 
where he is not. For brevity we will address only the former case here: The sim- 
ulator forms a ciphertext E that is an encryption of 0 the revocation manager’s 
public key. He then creates a random public key P = {u, v) for the verifiable 
encryption and chooses fi T 2 €r and Ti,T 2 and T at random from 

their corresponding domains. Then, the simulator sends {Z' ,c\Ti,T 2 ,T, E, P) 
to the adversary and carries out the verifiable encryption protocol: 

FA(EIGamal,(u,h)){(£.,^»,<r) : f = A T^ = {g^f{h^y A G <P} 

with the adversary and finally runs the simulator for the view of the verifier in 
the group membership proof protocol described in Section 15.31 

The following lemma follows from the semantic security of the verifiable 
encryption scheme, as well as from adaptive chosen-ciphertext security of the 
encryption scheme under which the users’ identifiers are encrypted m- 

Lemma 1. Either the simulator produces a computationally indistinguishable 
view, or it rejects. The computational indistinguishability is under the decisional 
Dijjie- Heilman assumption for the group over which the Cramer-Shoup encryp- 
tion of the identifiers is done. 

The only thing left to prove security is to show that the simulator almost 
never rejects. We observe that the only case when the simulator rejects is when 
the adversary demonstrates group membership for an unauthorized user-verifier 
pair. We show m that if this simulator rejects non-negligibly often, then ei- 
ther there exists a polynomial-time algorithm for forging membership certifi- 
cates (thus violating the strong RSA assumption or the discrete logarithm as- 
sumption), or there exists a polynomial-time algorithm for cracking the Paillier 
cryptosystem, or there exists a way to circumvent the knowledge extractor for 
one of the proofs of knowledge: 
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Lemma 2. Under the strong RSA assumption, the hardness of discrete loga- 
rithms modulo a safe prime product, and the security of Paillier cryptosystem, 
the simulator rejects with only negligible probability. 

Putting everything together, we get: 

Theorem 1. Under standard number-theoretic assumptions, the construction 
presented in Section\^is an identity escrow scheme with security guarantee for 
honest users, as required by Definition^ 



Appointed Verifier Property. Given the public key (n, oq, 01,02, 03, 04, g, h) 
of the group manager, and public key (h, g) of the appointed verifier V, for any 
given S, it is easy to create a tuple (Z, c, u, e) such that no one except V can 
distinguish it from a valid membership certificate. Create such a tuple as follows 
(call this procedure the forger): choose any r G/j Zf,2, set c := r” mod (c is 
simply the encryption of 0 under the verifier’s public key), u QRn, e A, 
and set Z := /a%SaQ. 

Lemma 3. Under the assumption that the Paillier cryptosystem is semantically 
secure, for all x € P, the tuple (s, Z, c, e, u) such that s A, and {Z,c,e,u) are 
created by the forger above on input S = a^a^, is indistinguishable from a valid 
membership certificate created by querying oracle O that, on input S, carries out 
step O of the Join with appointed verifier protocol. 

Proof. Let Di be the distribution of fake certificates as above, and D 2 be the 
distribution of valid certificates. Suppose that a distinguisher existed. Then we 
break the security of the Paillier cryptosystem as follows: we give the reduction 
access to the secret keys of the group manager. The reduction chooses a random 
z G f2 and asks the encryption oracle to give it an encryption of either 0 or 0. It is 
easy to see that if the oracle returns an encryption of 0, then the resulting tuple 
will be distributed according to Di, while if the oracle returns an encryption of 
z, then the resulting tuple will be distributed according to D2. Thus we can use 
the distinguisher for Di and D2 to break the semantic security of the Paillier 
cryptosystem. □ 

Based on this way of forging a single membership certificate, we can now build 
a deceiver D. In fake mode, on input a list L, D does not forward the messages 
pertaining to Join with appointed verifier for user A and verifier V if (A, V) G L. 
Instead, he impersonates the group manager GM to A. T> proceeds as follows: it 
conducts steps ^ through 0| of the Join with appointed verifier protocol exactly 
the same way as GM would to get an input S. Then it creates a fake certificate 
(Z,c,e,u) using the forger described above. As the secret key x = logf^Su of 
user A was given to T> as input, T> succeeds in carrying out the PK in step[?l It 
then stores this certificate. 

For (A, V) ^ L, T> forwards all the messages, and, in case of a successfully 
carried out Join, stores the certificate. 
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When A engages in sid that is an Authenticate to appointed verifier with 
some verifier V, T> proceeds as follows (recall that verifiable encryption is by 
itself a three-move proof of knowledge): it first receives, from A, all messages 
up to step 5 and buffers them. Then, it receives the first message of the VE 
protocol, and in particular the ciphertext c and the value Z. By the properties 
of VE, this first message contains an ElGamal encryption under {v,u) of values 
fi and r 2 - It checks whether v = for some secret key a; of a player A controls. 
If this is not the case, then it knows that the verifier will reject anyway- so 
it forwards the message to V. If it finds the right x, then it decrypts the first 
message of the verifiable encryption and obtains fi and T 2 . If the first message 
of the verifiable encryption is invalid, it detects that and then it knows that V 
will reject, so it forwards ^’s message to V. It then sets c := It then 

looks up a membership certificate that contains the ciphertext c. If it fails to 
find one, it knows that the verifier will reject - so it forwards the message to V. 
If it finds one, and it is a valid membership certificate, then it forwards all the 
messages between A and V for this sid. 

If it is a fake membership certificate that includes ciphertext c, it checks 
whether this certificate also includes the value Z := Z If it does not, then 
T> knows that the verifier will reject anyway - so it forwards the message to V. 

Otherwise, this first message of A is valid. Since T> has the valid membership 
certificate for {A, V), V tells T to send the first valid message of an Authenticate 
to appointed verifier to V. Then T> simulates V for A: it creates a challenge 
message and sends it to A. If A responds to the message so as to correctly 
complete the corresponding proof of knowledge and verifiable encryption, then 
T> tells J- to send V a message that corresponds to a valid response to E’s 
challenge. Otherwise, T> tells T to send to E a message that does not constitute 
a valid response. After that, V either responds to J- with an accept or reject. T 
forwards that response to T>, which in turn sends it to A. 

It is easy to see that the following lemma holds m-- 

Lemma 4. Under the assumption that the Paillier cryptosystem is semantically 
secure, the strong RSA assumption, and the assumption that computing discrete 
logarithms modulo a safe prime product is hard, the following holds: Provided that 

V never performs the Convert and Identify operation for A, if the probability 
that B accepts when talking to T> in real mode differs non-negligibly from the 
probability that B accepts when talking to T> in fake mode, then: B and verifier 

V have engaged in the Authenticate with appointed verifier protocol in which V 
accepted such that a subsequent Identify operation, if carried out, will point to 
A. 



Using Lemma 0 the following is immediate by Definition |2 

Theorem 2. Under standard number-theoretic assumptions, the construction 
presented in Section 0 is an identity escrow scheme with the appointed verifier 
property, as required by Definition^ 
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6 Concluding Remarks 

We note that in order to implement several identity escrow schemes at the same 
time using our methods, the set-up, apart from the public-key infrastructure, has 
to be repeated for each instance. In particular, the public keys of the verifiers 
will have to be different for each instance. It is an interesting question whether 
it would be possible to avoid this and yet have a practical construction that 
is secure against adaptive attacks. It is also interesting whether the public-key 
model can be eliminated from the picture. 

An appointed-verifier identity escrow scheme is only the first step towards 
a bigger goal of realizing protocols in which it is provably hard to convince an 
unauthorized party of the truth of some statement. It would be interesting to 
apply our methods in the context of electronic voting and consider existing voting 
schemes and how close they come to satisfying an appropriate modification of 
our definition, and, if a gap appears, whether the techniques developed in this 
paper could resolve it. 
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Abstract. We present session- key generation protocols in a model 
where the legitimate parties share only a human-memorizable password. 
The security guarantee holds with respect to probabilistic polynomial- 
time adversaries that control the communication channel (between the 
parties), and may omit, insert and modify messages at their choice. 
Loosely speaking, the effect of such an adversary that attacks an ex- 
ecution of our protocol is comparable to an attack in which an adversary 
is only allowed to make a constant number of queries of the form “is w 
the password of Party A”. We stress that the result holds also in case 
the passwords are selected at random from a small dictionary so that 
it is feasible (for the adversary) to scan the entire directory. We note 
that prior to our result, it was not clear whether or not such protocols 
were attainable without the use of random oracles or additional setup 
assumptions. 



1 Introduction 

This work deals with the oldest and probably most important problem of cryp- 
tography: enabling private and reliable communication among parties that use 
a public communication channel. Loosely speaking, privacy means that nobody 
besides the legitimate communicators may learn the data communicated, and 
reliability means that nobody may modify the contents of the data communi- 
cated (without the receiver detecting this fact). Needless to say, a vast amount of 
research has been invested in this problem. Our contribution refers to a difficult 
and yet natural setting of two parameters of the problem: the adversaries and 
the initial set-up. 

We consider only probabilistic polynomial-time adversaries. Still even within 
this framework, an important distinction refers to the type of adversaries 
one wishes to protect against: passive adversaries only eavesdrop the channel, 
whereas active adversaries may also omit, insert and modify messages sent over 
the channel. Clearly, reliability is a problem only with respect to active adver- 
saries (and holds by definition w.r.t passive adversaries). We focus on active 
adversaries. 

* Supported by the MINERVA Foundation, Germany. 
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The second parameter mentioned above is the initial set-up assumptions. 
Some assumption of this form must exist or else there is no difference between 
the legitimate communicators, called Alice and Bob, and the adversary (which 
may otherwise initiate a conversation with Alice pretending to be Bob) . We list 
some popular initial set-up assumptions and briefly discuss what is known about 
them. 

Public-key infrastructure: Here one assumes that each party has generated 
a secret-key and deposited a corresponding public-key with some trusted 
server(s). The latter server(s) may be accessed at any time by any user. 

It is easy to establish private and reliable communication in this model 
(cf. [1 514,4] 1 . (However, even in this case, one may want to establish “ses- 
sion keys” as discussed below.) 



Shared (high-quality) secret keys: By high-quality keys we mean strings 
coming from distributions of high min-entropy (e.g., uniformly chosen 56- 
bit (or rather 192-bit) long strings, uniformly chosen 1024-bit primes, etc). 
Furthermore, these keys are selected by a suitable program, and cannot be 
memorized by humans. 



In case a pair of parties shares such a key, they can conduct private and 
reliable communication (cf., |9IS6I1 91^ 1. 



Shared (low-quality) secret passwords: In contrast to high-quality keys, 
passwords are strings that may be easily selected, memorized and typed-in 
by humans. An illustrating (and simplified) example is the case in which the 
password is selected uniformly from a relatively small dictionary; that is, the 
password is uniformly distributed mV C {0, 1}", where \V\ — poly(n). 

Note that using such a password in the role of a cryptographic key (in schemes 
as mentioned above) will yield a totally insecure scheme. A more significant 
observation is that the adversary may try to guess the password, and initiate a 
conversation with Alice pretending to be Bob and using the guessed password. 
So nothing can prevent the adversary from successfully impersonating Bob 
with probability 1/|T’|. But can we limit the adversary’s success to about this 
much? 



The latter question is the focus of this paper. 



Session-keys: The problem of establishing private and reliable communication 
is commonly reduced to the problem of generating a secure session-key (a.k.a 
“authenticated key exchange” ) . Loosely speaking, one seeks a protocol by which 
Alice and Bob may agree on a key (to be used throughout the rest of the current 
communication session) so that this key will remain unknown to the adversary^ 
Of course, the adversary may prevent such agreement (by simply blocking all 
communication), but this will be detected by either Alice or Bob. 



^ We stress that many famous key-exchange protocols, such as the one of Diffie and 
Heilman refer to a passive adversary. In contrast, this paper refers to active 
adversaries. 
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1.1 What Security May Be Achieved Based on Passwords 

Let us consider the related (although seemingly easier) task of mutual authenti- 
cation. Here Alice and Bob merely want to establish that they are talking to one 
another. Repeating an observation made above, we note that if the adversary 
initiates m <\T>\ instances of the mutual authentication protocol, guessing a dif- 
ferent password in each of them, then with probability m/|21| it will succeed in 
impersonating Alice to Bob (and furthermore find the password). The question 
posed above is rephrased here as follows: 

Can one construct a password-based scheme in which the success probabil- 
ity of any probabilistic polynomial-time impersonation attack is bounded 
by 0{m/\T>\) -\- p,{n), where m is the number of sessions initiated by the 
adversary, and p,(n) is a negligible function in the security parameter nl 

We resolve the above question in the affirmative. That is, assuming the existence 
of trapdoor one-way permutations, we prove that schemes as above do exist 
(for any T> and specifically for \I)\ = poly(n)). Our proof is constructive. We 
actually provide a protocol of comparable security for the more demanding goal 
of authenticated session-key generation. 

Password-based authenticated session-key generation: Our definition for the task 
of authenticated session-key generation is based on the simulation paradigm. 
That is, we require that a secure protocol emulates an ideal execution of a session- 
key generation protocol (cf. |ll2f)ll2| 'l. In such an ideal execution, a trusted third 
party hands identical, uniformly distributed session-keys to the honest parties. 
The only power given to the adversary in this ideal model is to prevent the 
trusted party from handing keys to one of both parties. (We stress that, in this 
ideal model, the adversary learns nothing of the parties’ joint password or output 
session- key). 

Next, we consider a real execution of a protocol (where there is no trusted 
party and the adversary has full control over the communication channel between 
the honest parties). In general, a protocol is said to be secure if real-model ad- 
versaries can be emulated in the ideal-model such that the output distributions 
are computationally indistinguishable. Since in a password-only setting the ad- 
versary can always succeed with probability it is impossible to achieve 

computational indistinguishability between the real model and above-described 
ideal model (where the adversary has zero probability of success) . Therefore, in 
the context of a password-only setting, an authenticated session-key generation 
protocol is said to be secure if the above-mentioned ideal-model emulation re- 
sults in an output distribution that can be distinguished from a real execution 
by (a gap of) at most 0{1/\V\) -|- ^(n). 

Main result (informally stated): Assuming the existence of trapdoor one-way 
permutations, there exists a secure authenticated session-key generation protocol 
in the password-only setting. 

The above (informal) definition implies the intuitive properties of authenticated 
session-key generation (e.g., security of the generated session-key and of the ini- 
tial password). In particular, the output session-key can be distinguished from a 
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random key by (a gap of) at most 0(1/|2?|) -f/i(n)0 Similarly, the distinguishing 
gap between the parties’ joint password and a uniformly distributed element in 
V is at most 0{1/\'D\) + p.(n). (As we have mentioned, the fact that the adver- 
sary can distinguish with gap 0{1/\'D\) is an inherent limitation of password- 
based security.) The parties are also guaranteed that, except with probability 
0{1/\V\) + they either end-up with the same session-key or detect that 
their communication has been tampered with. Our definition also implies addi- 
tional desirable properties of session-key protocols such as forward secrecy and 
security in the case of session-key loss (or known-key attacks). Furthermore, our 
protocol provides improved (i.e., negligible gap) security in case the adversary 
only eavesdrops the communication (during the protocol execution). 

We mention that a suitable level of indistinguishability (of the real and ideal 
executions) holds when m sessions (referring to the same password) are con- 
ducted sequentially: in this case the distinguishing gap is 0{m/\'D\) + fi{n) rather 
than 0{1/\'D\) -|- /i(n) (which again is optimal). This holds also when any (poly- 
nomial) number of other sessions w.r.t independently distributed passwords are 
conducted concurrently to the above m sessions. 

Caveat: Our protocol is proven secure only when assuming that the same pair 
of parties (using the same password) does not conduct several concurrent ex- 
ecutions of the protocol. We stress that concurrent sessions of other pairs of 
parties (or of the same pair using a different password), are allowed. See further 
discussion in Sections OI and 



1.2 Comparison to Prior Work 

The design of secure mutual authentication and key-exchange protocols is a ma- 
jor effort of the applied cryptography community. In particular, much effort has 
been directed towards the design of password-based schemes that should with- 
stand active attacks^] An important restricted case of the mutual authentication 
problem is the asymmetric case in which a human user authenticates himself to 
a server in order to access some service. The design of secure access control 
mechanisms based only on passwords is widely recognized as a central problem 
of computer practice and as such has received much attention. 

^ This implies that when using the session- key as a key to a MAC, the probability that 
the adversary can generate a valid MAC-tag to a message not sent by the legitimate 
party is small (i.e., 0(1/\'D\)). Likewise, when using the session- key for private- 
key encryption, the adversary learns very little about the encrypted messages: for 
every partial-information function, the adversary can guess the value of the function 
applied to the messages with only small (i.e., 0(1/\T>\)) advantage over the a-priori 
probability. 

^ A specific focus of this research has been on preventing ojf-line dictionary attacks. In 
such an off-line attack, the adversary records its view from past protocol executions 
and then scans the dictionary for a password consistent with this view. If checking 
consistency in this way is possible and the dictionary is small, then the adversary 
can derive the correct password. Clearly, a secure session-key generation protocol 
(as imformally defined above) withstands any off-line dictionary attack. 
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The first protocol suggested for password-based session-key generation was by 
Bellovin and Merritt jS| • This work was very influential and became the basis for 
much future work in this area [IHIS4l‘24y27l,S1 . However, these protocols have 
not been proven secure and their conjectured security is based on mere heuristic 
arguments. Despite the strong need for secure password-based protocols, the 
problem was not treated rigorously until quite recently. For a survey of works 
and techniques related to password authentication, see (a brief survey 

can be found in m)- 

A first rigorous treatment of the access control problem was provided by 
Halevi and Krawczyk |2d| . They actually considered an asymmetric hybrid model 
in which one party (the server) may hold a high-quality key and the other party 
(the human) may only hold a password. The human is also assumed to have se- 
cure access to a corresponding public-key of the server (either by reliable access 
to a reliable server or by keeping a “digest” of that public-key, which they call 
a public-password). The Halevi-Krawczyk model capitalizes on the asymmetry 
of the access control setting, and is inapplicable to settings in which communi- 
cation has to be established between two humans (rather than a human and a 
server). Furthermore, requiring the human to keep the unmemorizable public- 
password (although not secretly) is undesirable even in the access control setting. 
Finally, we stress that the Halevi-Krawczyk model is a hybrid of the “shared-key 
model” and the “shared-password model” (and so their results don’t apply to the 
“shared-password model”). Thus, it is of both theoretical and practical interest 
to answer the original question as posed above (i.e., without the public-password 
relaxation): Is it possible to implement a secure access control mechanism (and 
authenticated key-exchange) based only on passwords! 

Positive answers to the original problem have been provided in the random 
oracle model. In this model, all parties are assumed to have oracle access to a 
totally random (universal) function |3]. Secure (password-based) access control 
schemes in the random oracle model were presented in lam. The common inter- 
pretation of such results is that security is CXK£Cy to hold even if the random 
oracle is replaced by a (“reasonable”) concrete function known explicitly to all 
parties. We warn that this interpretation is not supported by any sound reason- 
ing. Furthermore, as pointed out in H3|. there exist protocols that are secure in 
the random oracle model but become insecure if the random function is replaced 
by any specific function (or even a function uniformly selected from any family 
of functions) . 

To summarize, this paper is the first to present session- key generation (as 
well as mutual authentication) protocols based only on passwords (i.e., in the 
shared-password model), using only standard cryptographic assumptions (e.g., 
the existence of trapdoor one-way permutations, which in turn follows from the 
intractability assumption regarding integer factorization). We stress that prior 
to this work it was not clear whether such protocols exist at all (i.e., outside of 
the random oracle model). 



Necessary eonditions for mutual authentieation: Halevi and Krawczyk 1231 
proved that mutual-authentication in the shared-password model implies (unau- 
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thenticated) secret-key exchange, which in turn implies one-way functions. Con- 
sequently, Boyarsky m pointed out that, in the shared-password model, mutual- 
authentication implies Oblivious Transfer. 



1.3 Techniques 



One central idea underlying our protocol is due to Naor and Pinkas ESI. They 
suggested the following protocol for the case of passive adversaries, using a secure 
protocol for polynomial evaluation 0 In order to generate a session-key, party A 
first chooses a random linear polynomial Q{-) over a large field (which contains 
the dictionary of passwords). Next, A and B execute a secure polynomial evalu- 
ation in which B obtains Q{w), where w is their joint password. The session-key 
is then set to equal Q(w). 

In EO] it was suggested to make the above protocol secure against active ad- 
versaries, by using non-malleable commitments. This suggestion was re-iterated 
to us by Moni Naor, and in fact our work grew out of his suggestion. In order to 
obtain a protocol secure against active adversaries, we augment the abovemen- 
tioned protocol of m by several additional mechanisms. Indeed, we use non- 
malleable commitments m, but in addition we also use a specific zero-knowledge 
proof ordinary commitment schemes [ZIj a specific pseudorandom generator 
(of |fil3fil8p . and message authentication schemes (MAGs). The analysis of the 
resulting protocol is very complicated, even when the adversary initiates a single 
session. As explained below, we believe that these complications are unavoidable 
given the current state-of-art regarding concurrent execution of protocols. 

Although not explicit in the problem statement, the problem we deal with 
actually concerns concurrent executions of a protocol. Even in case the adver- 
sary attacks a single session among two legitimate parties, its ability to modify 
messages means that it may actually conduct two concurrent executions of the 
protocol (one with each party) 0 Concurrent executions of some protocols were 
analyzed in the past, but these were relatively simple protocols. Although the 
high-level structure of our protocol can be simply stated in terms of a small 
number of modules, the currently known implementations of some of these mod- 
ules are quite complex. Furthermore, these implementations are NOT known to 
be secure when two copies are executed concurrently. Thus, at the current state 
of affairs, the analysis cannot proceed by applying some composition theorems 
to (two-party) protocols satisfying some concurrent-security properties (because 
suitable concurrently-secure protocols and composition theorems are currently 
unknown) . Instead, we have to analyze our protocol directly. We do so by reduc- 
ing the analysis of (two concurrent executions of) our protocol to the analysis 
of non-concurrent executions of related protocols. Specifically, we show how a 



In the polynomial evaluation functionality, party A has a polynomial Qf) over some 
finite field and Party B has an element x of the field. The evaluation is such that 
A learns nothing, and B learns Q{x)\ i.e., the functionality is defined by (Q,x) i— ^ 
(\,Q(x)). 

® Specifically, the adversary may execute the protocol with Alice while claiming to be 
Bob, concurrently to executing the protocol with Bob while claiming to be Alice, 
where these two executions refer to the same joint Alice-Bob password. 
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successful adversary in the concurrent setting contradicts the security require- 
ments in the non-concurrent setting. Such “reductions” are performed several 
times, each time establishing some property of the original protocol. Typically, 
the property refers to one of the two concurrent executions, and it is shown 
to hold even if the adversary is given some secrets of the legitimate party in 
the second execution. This is done by giving these secrets to the adversary, en- 
abling him to effectively emulate the second execution internally. Thus, only the 
first execution remains and the relevant property is proven (in this standard 
non-concurrent setting) . See Section El for an illustration of some of these proof 
techniques. 



1.4 Discussion 

We view our work as a theoretical study of the very possibility of achieving 
private and reliable communication among parties that share only a secret (low- 
quality) password and communicate over a channel that is controlled by an active 
adversary. Our main result is a demonstration of the feasibility of this task. That 
is, we demonstrate the feasibility of performing session-key generation based only 
on (low-quality) passwords. Doing so, this work is merely the first (rigorous) step 
in a research project directed towards providing a good solution to this practical 
problem. We discuss two aspects of this project that require further study. 

Concurrent executions: Our protocol is proven secure only when the same pair 
of parties (using the same password) does not conduct several concurrent exe- 
cutions of the protocol. (We do allow concurrent executions that use different 
passwords.) Thus, actual use of our protocol requires a mechanism for ensuring 
that the same password is never used in concurrent executions. A simple mech- 
anism enforcing the above is to disallow a party to enter an execution with a 
particular password if less than A units of time have passed since a previous ex- 
ecution with the same password. Furthermore, an execution must be completed 
within A units of time; that is, if A time units have elapsed then the execution 
is suspended. See Section 12.51 for further details. Indeed, it is desirable not to 
employ such a timing mechanism, and to prove that security holds also when 
many executions are conducted concurrently using the same password. 

Efficiency: It is indeed desirable to have more efficient protocols than the one 
presented here. Some of our techniques may be useful towards this goal. 



1.5 Independent Work 

Independently of our work, Katz, Ostrovsky and Yung presented a protocol 
for session- key generation based on passwords. Their protocol is incomparable 
to ours. On one hand, their protocol uses a stronger set-up assumption (i.e., 
public parameters selected by a trusted party), and a seemingly stronger in- 
tractability assumption (i.e., the Decisional Difhe-Hellman) . On the other hand, 
their protocol seems practical and is secure in an unrestricted concurrent setting. 
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Recall that the thrust of our work is in demonstrating the feasibility of perform- 
ing session-key generation based on passwords only (i.e., without any additional 
set-up assumptions). 

2 Formal Setting 

In this section we present notation and definitions that are specific to our set- 
ting, culminating in a definition of Authenticated Session-Key Generation. Given 
these, we state our main result. 



2.1 Basic Notations 

Typically, C denotes the channel (probabilistic polynomial-time adversary) via 
which parties A and B communicate. We adopt the notation of Bellare and 
Rogaway 0 and model the communication by giving C oracle access to A and 
B. We stress that, as in these oracles have memory and model parties who 
participate in a session-key generation protocol. Unlike in when A and B 
share a single password, C has oracle access to only a single copy of each party. 
We denote by an execution of C (with auxiliary input cr) when 

it communicates with A and B, holding respective inputs x and y. Ghannel C’s 
output from this execution is denoted by output(C'^^'^^’®^*'^(cr)) . 

The password dictionary is denoted by P C {0, 1}", and is fixed for the entire 
discussion. We let e = |^. We denote by C/„ the uniform distribution over strings 
of length n. For a set S, we denote x Gr S when x is chosen uniformly from 
S. We use “ppt” as shorthand for probabilistic polynomial time. We denote 
an unspecified negligible function by fJ.(n). That is, for every polynomial p(-) 
and for all sufficiently large n’s, y{n) < For functions / and g (defined 

over the integers), we denote f ps g if \f(ri) — g{n)\ < g,{n). Finally, we denote 
computational indistinguishability by =. 

A security parameter n is often implicit in our notation and discussions. Thus, 
for example, by the notation T> for the dictionary, our intention is actually 
(where T>n C {0,1}"). Recall that we make no assumptions regarding the size 
of T>n, and in particular it may by polynomial in n. 



2.2 (1 — e)-Indistinguishability and Pseudorandomness 

Extending the standard definition of computational indistinguishability PM, 
we define the concept of (1 — e)-indistinguishability. Two ensembles are (1 — e)- 
indistinguishable if for every ppt machine, the probability of distinguishing be- 
tween them (via a single sample) is at most negligibly greater than e. (Note 
that (1 — e)-indistinguishability is not preserved under multiple samples, but for 
efficiently constructible ensembles (1 — e)-indistinguishability implies (1 — me)- 
indistinguishability of sequences of m samples.) Thus, computational indistin- 
guishability coincides with 1-indistinguishability. The formal definition is as fol- 
lows. 
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Definition 1 ((1 — e)-indistinguishability) : Let e : N — [0, 1] be a funetion, and 
let and {Y„}„gi\i be probability ensembles, so that for any n the distri- 

bution Xn (resp., Yn) ranges over strings of length polynomial in n. We say that 
the ensembles are (1 — e)-indistinguishable, denoted {X„}„gN = if for 

every probabilistic polynomial time distinguisher D, and all auxiliary information 
z € {0, i}p°iy(") 

|Pr[D(X„, 1", z) = 1] - Pr[D(F„, 1”, z) = 1] | < e + fi{n) 

We say that {^YnlnGN is (1 — e)-pseudorandom if it is (1 — e)-indistinguishable from 
{b^njngN- The definition of pseudorandom functions is similarly extended to 
(1 — e)-pseudorandom functions. 



2.3 Authenticated Session-Key Generation: Definition and 
Discussion 



The problem of password-based authenticated session-key generation can be cast 
as a three-party functionality involving honest parties A and B, and an adversary 
C. Parties A and B should input their joint password and receive identical, 
uniformly distributed session-keys. On the other hand, the adversary C should 
have no output (and specifically should not obtain information on the password 
or output session- key) . Furthermore, C should have no power to maliciously 
influence the outcome of the protocol (and thus, for example, cannot affect the 
choice of the key or cause the parties to receive different keys). However, recall 
that in a real execution, C controls the communication line between the (honest) 
parties. Thus, it can block all communication between A and B, and cause 
any protocol to fail. This (unavoidable) adversarial capability is modeled in the 
functionality by letting C input a single bit b indicating whether or not the 
execution is to be successful. Specifically, if 6 = 1 (i.e., success) then both A and 
B receive the above-described session-key. On the other hand, if & = 0 then A 
receives a session-key, whereas B receives a special abort symbol T insteadH We 
stress that C is given no ability to influence the outcome beyond determining 
this single bit (i.e., b). In conclusion, the problem of password-based session-key 
generation is cast as the following three-party functionality: 



{wA,WB,b) 



{Un,Un,X) if b = 1 and w A = wb, 
(C/„,T,A) otherwise. 



where wa and wb are A and B’s respective passwords. 

Our definition for password-based authenticated session-key generation is 
based on the “simulation paradigm” (cf. Paul). That is, we require a secure 
protocol to emulate an ideal execution of the above session-key generation func- 
tionality. In such an ideal execution, communication is via a trusted third party 

® This lack of symmetry in the definition is inherent as it is not possible to guaran- 
tee that A and B both terminate with the same “success/failure bit”. For sake of 
simplicity, we (arbitrarily) choose to have A always receive a uniformly distributed 
session- key and to have B always output T when 6 = 0. 
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who receives the parties inputs and (honestly) returns to each party its output, 
as designated by the functionality. 

An important observation in the context of password-based security is that, 
in a real execution, an adversary can always attempt impersonation by simply 
guessing the secret password and participating in the protocol, claiming to be 
one of the parties. If the adversary’s guess is correct, then impersonation always 
succeeds (and, for example, the adversary knows the generated session-key). 
Furthermore, by executing the protocol with one of the parties, the adversary 
can verify whether or not its guess is correct, and thus can learn information 
about the password (e.g., it can rule out an incorrect guess from the list of 
possible passwords) . Since the dictionary may be small, this information learned 
by the adversary in a protocol execution may not be negligible at all. Thus, 
we cannot hope to obtain a protocol that emulates an ideal-model execution 
(in which C learns nothing) up to computational indistinguishability. Rather, 
the inherent limitation of password-based security is accounted for by (only) 
requiring that a real execution can be simulated in the ideal model such that the 
output distributions (in the ideal and real models) are {l—0{e))-indistinguishable 
(rather than 1-indistinguishable), where (as defined above) e = 1/|T’|. 

We note that the above limitation applies only to active adversaries who 
control the communication channel. Therefore, in the case of a passive (eaves- 
dropping) adversary, we demand that the ideal and real model distributions be 
computationally indistinguishable (and not just (1 — 0(e))-indistinguishable). 
We now define the ideal and real models and present the formal definition of 
security. 

The ideal model: Let A and B be honest parties and let C be any ppt ideal- 
model adversary (with arbitrary auxiliary input a). An ideal-model execution 
proceeds in the following phases: 

Initialization: A password w Gr T> is uniformly chosen from the dictionary and 
given to both A and B. 

Sending inputs to trusted party: A and B both send the trusted party the pass- 
word they have received in the initialization stage. The adversary C sends 
either 1 (denoting a successful protocol execution) or 0 (denoting a failed 
protocol execution). 

The trusted party answers all parties: In the case C sends 1, the trusted party 
chooses a uniformly distributed string k Gr {0,1}" and sends k to both A 
and B. In the case C sends 0, the trusted party sends k Gr (0, 1}" to A and 
T to R. In both cases, C receives no output 0 

The ideal distribution is defined as follows: 

ideal(j(T>, cr) (ic, output(A), output(.B), output(C'(cr))) 

where w GrT> \s the input given to A and B in the initialization phase. Thus, 



^ Since A and B are always honest, we need not deal with the case that they hand 
the trusted third party different passwords. 
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r {w, Un,Un, output {C (a))) if send(C'(tr)) = 1, 
\ {w, Un, -L, output((7(cr))) otherwise. 



where send(C'(cr)) denotes the value sent by C (to the trusted party), on auxiliary 
input a. 



The real model: Let A and B be honest parties and let C be any ppt real- 
model adversary with arbitrary auxiliary input a. As in the ideal model, the 
real model begins with an initialization stage in which both A and B receive 
an identical, uniformly distributed password w Gr T>. Then, the protocol is ex- 
ecuted with A and B communicating via The execution of this protocol is 
denoted (tj) and we augment C’s view with the accept/reject decision 

bits of A and B (this decision bit denotes whether a party’s private output is 
a session-key or T). This formal requirement is necessary, since in practice this 
information can be implicitly understood from whether or not the parties con- 
tinue communication after the session-key generation protocol has terminated. 
(We note that in our specific formulation, A always accepts and thus it is only 
necessary to provide C with the decision-bit output by B.) The real distribution 
is defined as follows: 

realc(T’,cr) (w,output(A),output(i3),output(C'"^^'"^’®^’"^(cr))) 
where w GrT> is the input given to A and B in the initialization phase. 



The definition of security: Loosely speaking, the definition requires that a secure 
protocol (in the real model) emulates the ideal model (in which a trusted party 
participates) . This is formulated by saying that adversaries in the ideal model are 
able to simulate the execution of a real protocol, so that the input/output distri- 
bution of the simulation is (1 — 0(e))-indistinguishable from in a real execution. 
We further require that passive adversaries can be simulated in the ideal-model 
so that the output distributions are computationally indistinguishable (and not 

just (1 — 0(e))-indistinguishable)EI 

Definition 2 (password-based authenticated session-key generation): A proto- 
col for password-based authenticated session-key generation is secure if the follow- 
ing two requirements hold: 

® We stress that there is a fundamental difference between the real model as defined 
here and as defined in standard multi-party computation. Here, the parties A and 
B do not have the capability of communicating directly with each other. Rather, A 
can only communicate with C and likewise for B. This is in contrast to standard 
multi-party computation where all parties have direct communication links or where 
a broadcast channel is used. 

® A passive adversary is one that does not modify, omit or insert any messages sent 
between A or B. That is, it can only eavesdrop and thus is limited to analyzing the 
transcript of a protocol execntion between two honest parties. Passive adversaries 
are also referred to as semi-honest in the literature (e.g., in EH)- 
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1. Passive adversaries: For every ppt real-model passive adversary C there exists 
a ppt ideal-model adversary C such that for every dictionary T> C {0, 1}" and 
every auxiliary input a € {0, l}P°*y(") 

{ideal(j(P,CT)}^ ^ = {realc(P, 

£. Arbitrary (active) adversaries: For every ppt real-model adversary C there 
exists a ppt ideal-model adversary C such that for every dictionary T> C 
{0, 1}" and every auxiliary input a € {0, 

{idealp(P, cr)}^ ^ {realc(V,o-)}^^ 

where e We stress that the constant in 0(e) is a universal one. 



Properties of Definition\^ Definition 0 asserts that the joint input/output dis- 
tribution from a real execution is at most “0(e)-far” from an ideal execution in 
which the adversary learns nothing (and has no influence on the output except 
to cause B to reject). This immediately implies that the output session-key is 
(1 — 0(e))-pseudorandom (which, as we have mentioned, is the best possible 
for password-based key generation). Thus, if such a key is used for encryption 
then for any (partial information) predicate P, the probability that an adver- 
sary learns P(m) given the ciphertext E(m) is at most 0(e) -I- p.(n) greater than 
the a-priori probability (when the adversary is not given E(m)). Likewise, if the 
key is used for a message authentication code (MAC), then the probability that 
an adversary can generate a correct MAC-tag on a message not sent by A or 
B is at most negligibly greater than 0(e). We stress that the security of the 
output session-key does not deteriorate with its usage; that is, it can be used for 
polynomially-many encryptions or MACs and the security remains 0(e). Another 
important property of Definition Elis that, except with probability 0(e), (either 
one party detects failure or) both parties terminate with the same session-key. 

Definition0also implies that the password used remains (1 — 0(e))-indisting- 
uishable from a randomly chosen (new) password w €nT>. (This can be seen from 
the fact that in the ideal model, the adversary learns nothing of the password w, 
which is part of the ideal distribution.) In particular, this implies that a secure 
protocol is resistant to offline dictionary attacks (whereby an adversary scans 
the dictionary in search of a password that is “consistent” with its view of a 
protocol execution). 

Other desirable properties of session-key protocols are also guaranteed by 
Definition El Specifically, we mention forward secrecy and security in the face 
of loss of session-keys (also known as known-key attacks). Forward secrecy states 
that the session-key remains secure even if the password is revealed after the 
protocol execution. Analogously, security in the face of loss of session-keys means 
that the password and the current session-key maintain their security even if 
prior session-keys are revealed. These properties are immediately implied by the 
fact that, in the ideal-model, there is no dependence between the session-key and 
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the password and between session-keys from different sessions. Thus, learning the 
password does not compromise the security of the session-key and visa versaEI 
An additional property that is desirable is that of intrusion detection. That 
is, if the adversary modifies any message sent in a session, then with probability 
at least (1 — 0(e)) this is detected and at least one party rejects. This property 
is not guaranteed by Definition 0 itself; however, it does hold for our protocol. 
Combining this with Item 1 of Definition El (i.e., the requirement regarding pas- 
sive adversaries), we conclude that in order for C to take advantage of its ability 
to learn “0(e)-information” C must expose itself to the danger of being detected 
with probability 1 — 0(e). 

Finally, we observe that the above definition also enables mutual- 
authentication. This is because A’s output session-key is always (1 — 0(e))- 
pseudorandom to the adversary. As this key is secret, it can be used for explicit 
authentication via a (mutual) challenge/response protocol^ By adding such a 
step to any secure session-key protocol, we obtain explicit mutual-authentication. 

Augmenting the definition: Although Definition El seems to capture all that is 
desired from authenticated session-key generation, there is a subtlety that it fails 
to address (as pointed out by Rackoff to the authors of ^). The issue is that 
the two parties do not necesssarily terminate the session-key generation protocol 
simultaneously, and so one party may terminate the protocol and start using the 
session-key while the other party is still executing instructions of the session-key 
generation protocol (i.e., determining its last message). In this extended abstract, 
we note only that Definition E| can be augmented to deal with this issue, and 
that our protocol is secure also with respect to the augmented definition. A full 
treatment of this issue is provided in the full version of the paper. 

2.4 Our Main Result 

Given Definition El we can now formally state our main result. 

Theorem 3 Assuming the existence of trapdoor permutations, there exist secure 
protocols for password-hased authenticated session-key generation. 

2.5 Multi-session Security 

The definition above relates to two parties executing a session-key generation 
protocol once. Clearly, we are interested in the more general case where many 
different parties run the protocol any number of times. It turns out that any 

The independence of session-keys from different sessions relates to the multi-session 
case, which is discussed in SectionEiH For now, it is enough to note that the protocol 
behaves as expected in that after t executions of the real protocol, the password along 
with the outputs from all t sessions are (1 — 0(te))-indistinguishable from t ideal 
executions. 

It is easy to show that such a key can be used directly to obtain a (1 — 0(e))- 
pseudorandom function, which can then be used in a standard challenge/response 
protocol. 
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protocol that is secure for a single invocation between two parties (i.e., as in 
Definition I2D, is secure in the multi-party and sequential invocation case. 



Many Invocations by Two Parties. Let A and B be parties who invoke t se- 
quential executions of a session-key generation protocol. Given that we wish that 
an adversary gains no more than 0(1) password guesses upon each invocation, 
the security upon the t’th invocation should be 0{te). That is, we consider ideal 
and real distributions consisting of the outputs from all t executions. Then, we 
require that these distributions be (1 — 0(te))-indistinguishable. It can be shown 
that any secure protocol for password-based authenticated session-key genera- 
tion maintains 0{te) security after t sequential invocations. Details are given in 
the full version of this work. 



Sequential vs Concurrent Executions for Two Parties: Our solution is proven 
secure only if A and B do not invoke concurrent executions of the session-key 
generation protocol (with the same password) . We stress that a scenario whereby 
the adversary invokes B twice or more (sequentially) during a single execution 
with A is not allowed. Therefore, in order to actually use our protocol, some 
mechanism must be used to ensure that such concurrent executions do not take 
place. This can be achieved by having A and B wait A units of time between 
protocol executions (where A is greater than the time taken to run a single exe- 
cution). Note that parties do not usually need to initiate session-key generation 
protocols immediately one after the other. Therefore, this delay mechanism need 
only be employed when an attempted session-key generation execution fails. This 
means that parties not “under attack” by an adversary are not inconvenienced 
in any way. 

We note that this limitation does not prevent the parties from opening a 
number of different (independently-keyed) communication lines. They may do 
this by running the session-key protocol sequentially, once for each desired com- 
munication line. However, in this case, they incur a delay of A units of time 
between each execution. Alternatively, they may run the protocol once and ob- 
tain a (1 — 0(e))-pseudorandom session- key. This key may then be used as a 
shared, high-quality key for (concurrently) generating any polynomial number 
of (1 — 0(e))-pseudorandom session-keys; one for each communication line (sim- 
ple and efficient protocols exist for this task, see 0). 



Many Parties. In the case where many parties execute the session-key pro- 
tocol simultaneously, we claim that for m invocations of the protocol (which 
must be sequential for the same pair of parties and may be concurrent other- 
wise), the security is 0{me). We assume that different pairs of parties (executing 
concurrently) have independently distributed passwords. Then, the security is 
derived from the single-session case by noting that sessions with independently 
distributed passwords can be perfectly simulated by an adversary. 
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3 Our Session-Key Generation Protocol 

All arithmetic below is over the finite field GF(2") which is identified with 
{0, 1}". In our protocol, we use a secure protocol for evaluating non-constant, 
linear polynomials (actually, we could use any 1-1 Universal 2 family of hash func- 
tions). This protocol involves two parties A and B; party A has a non-constant, 
linear polynomial Q{-) G {0,1}^" and party B has a string x G {0,1}". The 
functionality is (Q,x) >->■ (A,Q(x)); that is, A receives nothing and B receives 
the value Q(x) (and nothing else). The fact that A is supposed to input a non- 
constant, linear polynomial can be enforced by simply mapping all possible input 
strings to the set of such polynomials (this convention is used for all references 
to polynomials from here on) . We actually augment this functionality by having 
A also input a commitment to the polynomial Q (i.e., ca G Commit(Q)) and 
its corresponding decommitment r (i.e., ca = C{Q,r)). Furthermore, B also 
inputs a commitment value cb- The augmentation is such that ii ca ^ cb , then 
B receives a special failure symbol. This is needed in order to tie the polyno- 
mial evaluation to a value previously committed to in the main (higher level) 
protocol. The functionality is defined as follows: 

Definition 4 (augmented polynomial evaluation): 

• Input: Party A inputs a commitment ca and its corresponding decommit- 
ment r, and a linear, non-constant polynomial Q. Party B inputs a commit- 
ment Cb and a value x. 

• Output: 

1. Correct Input Case: If ca = cb and ca = C{Q,r), then B receives Q{x) 
and A receives nothing. 

2. Incorrect Input Case: If ca yf cb or ca yf C{Q,r), then B receives a 
special failure symbol, denoted T, and A receives nothing. 

We note that by !SEH, this functionality can be securely computed (observe 
that the input conditions can be checked in polynomial time because A also 
provides the decommitment r). 



3.1 The Protocol 

Let / be a one-way permutation and b a hard-core of /. 

Protocol 5 (password-based authenticated session-key generation) 

• Input: Parties A and B begin with a joint password w, which is supposed 
to be uniformly distributed in T>. 

• Output: A and B each output an accept/reject bit as well as session-keys 
kA and fcs respectively (where Ia “should” equal fcs). 

• The Protocol: 

1. Stage 1: (Non-Malleable) Commit 

a) A chooses a random, linear, non-constant polynomial Q over CF(2"). 
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b) A and S engage in a non-malleable (perfectly binding) commitment 
protocol in which A commits to the string {Q,w) G {0, 1}^". Denote 
the random coins used by B in the commitment protocol by rs and 
denote B's view of the execution of the commitment protocol by 
NMC{Q,w)^ 

Following the commitment protocol, B sends his random coins tb to 
A. (This has no effect on the security, since the commitment scheme 
is perfectly binding and the commitment protocol has already termi- 
nated.) 

2. Stage 2: Pre-Key Exchange - In this stage the parties “exchange” 
strings ta and tb, from which the output session- keys (as well as valida- 
tion checks) are derived. Thus, ta and tb are called pre-keys. 

a) A sends B a commitment c = C{Q, r), for a randomly chosen r. 

b) A and B engage in an augmented polynomial evaluation protocol. A 
inputs Q and (c, r); B inputs w and c. 

c) We denote B's output by tb- (Note that tb is supposed to equal 
Q{w).) 

d) A internally computes ta = Q(w). 

3. Stage 3: Validation 

a) A sends the string y = /^^(ta) to B. 

b) A proves to B in zero-knowledge that she input the same polynomial 
in both the non-malleable commitment (performed in Stage 1) and 
the ordinary commitment (performed in Stage 2(a)), and that the 
value y is “consistent” with the non-malleable commitment. Formally, 
A proves the following statement: 

There exists a string {Xx,X 2 ) S {0, 1}^" and random coins rA,iAA ,2 
(where rA.i and ta ,2 are A’s random coins in the non-malleable and 
ordinary commitments, respectively) such that 

i. B’s view of the non-malleable commitment, NMC{Q, w), is iden- 
tical to the receiver’s view of a non-malleable commitment to 
(Xi, X 2 ), where the sender and receiver’s respective random coins 
are rA,i and tb- (Recall that tb denotes R’s random coins in the 
non-malleable commitment. 

ii. c = C(Xi,r^_ 2 ), and 

iii. y = p’^{Xi{x 2 )). 

Recall that B’s view consists of his random coins and all messages received during 
the commitment protocol execution. 

The view of a protocol execution is a function of the parties’ respective inputs 
and random strings. Therefore, (Xi,X 2 ), ta,i and rs define a single possible view. 
Furthermore, recall that B sent vb to A following the commitment protocol. Thus 
A has NMC{Q,w) (which includes tb), the committed-to value {Q,w) and ta,i, 
enabling her to efficiently prove the statement. 
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The zero-knowledge proof used here is the specific zero-knowledge 
proof of Richardson and Kilian m with a specific setting of param- 
eters0 

c) Let Ia be the entire session transcript as seen by A (i.e., the se- 
quence of all messages sent and received by A) and let MACf~ 
be a message authentication code, keyed by k. Then, A computes 

ki{TA) 6(ta) • • • &(/”“^(ta)), and sends m = to 

B. 

4. Decision Stage 

a) A always accepts and outputs ^ 2 ( 1 "^) ^(/"(^a)) • ■ ■ 

b) B accepts if and only if all the following conditions are fulfilled: 

• y = /^"(tb), where y is the string sent by ^ to R in Step 3(a) 
above and tb is B's output from the polynomial evaluation. 
(Note that if = T then no y fulfills this equality, and B always 
rejects.) 

• B accepts the zero-knowledge proof in Step 3(b) above, and 

• Verify to) = 1, where ts is the session-transcript as seen 
by B, the string to is the alleged MAC-tag that B receives, and 
verification is with respect to the M AC-key defined by k\{TB) = 
KTB)---b{r-^{TB)). 

If B accepts, then he outputs fc 2 (Ts) = b{f^{TB)) ■ ■ ■ b{f'^^~^{TB)), 
otherwise he outputs T. (Recall that the accept/reject decision bit is 
considered a public output.) 

We stress that A and B always accept or reject based solely on these 
criteria, and that they do not halt (before this stage) even if they detect 
malicious behavior. 

See Figure n below for a schematic diagram of Protocol 0 

In our description of the protocol, we have referred only to parties A and B. 
That is, we have ignored the existence (and possible impact) of the channel C. 
That is, when A sends a string z to B, we “pretend” that B actually received z 
and not something else. In a real execution, this may not be the case at all. In 
the actual analysis we will subscript every value by its owner, as we have done 
for ta and tb in the protocol. For example, we shall say that in Step 3(a), A 
sends a string j/a and the string received by B is yB- 

3.2 Motivation for the Security of the Protocol 

The central module of Protocol 0 is the secure polynomial evaluation. This, in 
itself, is enough for achieving security against passive channels only. Specifically, 

The setting of parameters referred to relates to the number of iterations m in the 
first part of the Richardson-Kilian proof. We set m to equal the number of rounds 
in all other parts of our protocol plus any non-constant function of the security 
parameter. 
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Fig. 1. Schematic Diagram of the Protocol. 



consider the following protocol. Party A chooses a random, linear polynomial 
Q and inputs it into a secure polynomial evaluation with party B who inputs 
the joint password w. By the definition of the polynomial evaluation, B receives 
Q{w) and A receives nothing. Next, A internally computes Q{w) (she can do this 
as she knows both Q and w), and both parties use this value as the session-key. 
The key is uniformly distributed (since Q is random and linear) and due to the 
secrecy requirements of the polynomial evaluation, the protocol reveals nothing 
of w or Q(w) to a passive eavesdropper C (since otherwise this would also be 
revealed to party A who should learn nothing from the evaluation). 

One key problem in extending the above argument to our setting (where C 
may be active) is that the security definitions of two-party computation guar- 
antee nothing about the simulatability of C’s view in this concurrent setting. 
We now provide some intuition into how simulation of our protocol is neverthe- 
less achieved. First, assume that the MAC-value sent by A at the conclusion of 
the protocol is such that unless C behaved passively (and relayed all message 
without modification), then B rejects (with some high probability). Now, if C 
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behaves passively, then B clearly accepts (as in the case of honest parties A and 
B that execute the protocol without any interference). On the other hand, if 
C does not behave passively, then (by our assumption regarding the security of 
the MAC) B rejects. However, C itself knows whether or not it behaved pas- 
sively and therefore can predict whether or not B will reject. In other words, 
the accept/reject bit output by B is simulatable (by C itself). We proceed by 
observing that this bit is the only meaningful message sent by B during the 
protocol: apart from in the polynomial evaluation, the only messages sent by 
B are as the receiver in a non-malleable commitment protocol and the verifier 
in a zero-knowledge proof (clearly, no knowledge of the password w is used by 
B in these protocols). Furthermore, the polynomial evaluation is such that only 
B receives output. Therefore, intuitively, the input used by B is not revealed 
by the execution; equivalently, the view of C is (computationally) independent 
of B’s input w (this can be shown to hold even in our concurrent setting). We 
conclude that all messages sent by B during the execution can be simulated 
without knowledge of w. Therefore, by indeed simulating B, we can reduce the 
concurrent scenario involving A, C and B to & (standard) two-party setting be- 
tween A and C. In this setting, we can then apply standard tools and techniques 
for simulating C’s view in its interaction with A, and conclude that the entire 
real execution is simulatable in the ideal model. 

Thus, the basis for simulating C’s view lies in the security of the MAC in our 
scenario. Indeed, the MAC is secure when the parties using it (a priori) share a 
random MAC-key; but in our case the parties establish the MAC-key during the 
protocol, and it is not clear that this key is random nor the same in the view 
of both parties. In order to justify the security of the MAC (in our setting), we 
show that two properties hold. Firstly, we must show that with high probability 
either A and B hold the same MAC key or B is going to reject anyhow (and C 
knows this) . Secondly, we need to show that this (identical) MAC-key held by A 
and B has “sufficient pseudorandomness” to prevent C from successfully forging 
a MAC. The proof of these properties (especially the first one) is very involved 
and makes up a major part of the proof, which is presented in the full version 
of this work. 



3.3 Properties of Protocol 0 

The main properties of Protocol El are captured by the following theorem. 

Theorem 6 Protocol^ constitutes a secure protocol for password-based authen- 
ticated session-key generation (as defined in Definition\^. 

All the cryptographic tools used in Protocol El can be securely implemented 
assuming the existence of trapdoor permutations. Thus, at the very least. The- 
orem El implies the feasibility result captured by Theorem 0 

Unfortunately, due to lack of space in this abstract, we do not provide a proof 
of Theorem El However, a demonstration of some of the proof techniques used 
to prove Theorem El is provided in Sectional 
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4 An Illustration of Our Proof Techniques 

In this section, we illustrate our proof techniques for a simplified scenario in 
which A and B execute a secure polynomial evaluation only, while communicat- 
ing via an adversarial channel C. Recall that the polynomial evaluation func- 
tionality is defined (in the stand-alone setting) by (Q,x) >->■ (A,Q(x)). That is, 
A has a polynomial Q(-) over some finite field and B has an element x in that 
field. The evaluation is such that A learns nothing while B obtains Q(x). In the 
scenario that we are considering, A’s input is a random, linear polynomial and 
B’s input is a random password w (as is the case in Protocol EJ • 

Recall that in this setting C may omit, insert and modify any message 
sent between A and B. Thus, in a sense C conducts two separate executions 
of the polynomial evaluation: one with A in which C impersonates B (called 
the (4, C)-execution), and one with B in which C impersonates A (called the 
(C, B)-execution). These two executions are carried out eoncurrently (by C), 
and there is no explicit execution between A and B. 

We remind the reader that the definition of (stand-alone) secure two-party 
computation does not apply to the concurrent setting that we consider here. 
Furthermore, there are currently no tools for dealing with (general) concurrent 
computation in the two-party case. Therefore, our analysis of these executions 
uses specific properties of the protocol to remove the concurrency and obtain a 
reduction to the stand-alone setting. That is, we show how an adversarial success 
in the concurrent setting can be translated into a related adversarial success in 
the stand-alone setting. This enables us to analyze the adversary’s capability in 
the concurrent setting, based on the security of two-party stand-alone protocols. 

In order to demonstrate our proof techniques, we show that C learns “little” 
of w and Q{w) from the above concurrent execution. Our formal statement of 
this has an ideal-model/real-model flavor. Specifically, we show that for every ppt 
adversary C interacting with A and B, there exists a non-interactive ppt machine 
C (who receives no input or output), such that {w, Q(r(;), output(C'"^^^^’'®^™^} 
is (1 — e) -indistinguishable from {w, C/,^, output(C)}0 (Recall that 
denotes an execution of C with A and B holding respective inputs Q and w.) One 
can think of C as being a real-model adversary and C an ideal-model adversary, 
where in this ideal model C sends no input to the trusted third party and likewise 
receives no output. We note that such a view is rather simplistic as we claim 
nothing here regarding the outputs of A and B from the execution (as is usually 
required in secure computation). In other words, here we prove a statement 
regarding privacy, but make no claims to correctness; for example, there is no 
guarantee that C does not maul or skew the parties’ outputs in some undesired 
way. Formally, we prove the following: 

Theorem 7 (illustration): For every ppt adversarial channel C interacting with 
A and B, there exists a ppt machine C {interacting with nobody) such that for 
every dictionary T> C {0,1}", 

As in Definitional this implies that following the execution, with respect to C’s view, 
the password w is (1 — e)-indistinguishable from a (new) randomly chosen password 
w. It also implies that the value Q{w) (used in Protocol El to derive the MAC and 
session keys) is (1 — e)-pseudorandom with respect to C”s view. 
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= |w, C/„,output(C')| 

where w Gr V, Q is a random linear polynomial, and e = 

Proof: We prove the theorem by first showing how the {C,B) execution can 
be simulated so that C’s view in the simulation is negligibly close to in a real 
interaction. Then, we remain with a stand-alone execution between A and C 
only. In this scenario, we apply the standard definition of secure two-party com- 
putation to conclude that C learns at most “e-information” about w and Q{w). 
The fact that the (C,B) execution can be simulated is formally stated as follows 
(in the statement of the lemma below, denotes a stand-alone execution 

of C with A upon input Q): 

Lemma 8 (simulating the {C,B) execution): For every ppt adversary C inter- 
aeting with both A and B, there exists a ppt adversary C interacting with A 
only, such that for every dictionary T> C {0, 1}", 

|ry,Q(w),output(C"^^'^^’®^’"^)| = |r(;, Q(w),output(C"^^^^)| 

where w Gr T> and Q is a random linear polynomial. 

Proof: Loosely speaking, we prove this lemma by showing that B’s role in 

the (C, B) execution can be simulated without any knowledge of w. Thus, C" is 
able to simulate B's role for C and we obtain the lemma. We begin by showing 
that C learns nothing of B’s input w from the (C,B) polynomial evaluation. 
This is trivial in a stand-alone setting by the definition of the functionality; here 
we claim that it also holds in our concurrent setting. Formally, we show that 
if B were to use some fixed w' G T> instead of the password w, then this is 
indistinguishable to C (when also interacting concurrently with A). That is, 

{r<;,Q(u;),output(C'^(«)'^(“))} = {w, Q(u;), output(C'^(«)’-®(“''))} (1) 

where w Gr T> is a, random password and w' G T> is fixed. Later, we will use 
Eq. (Pi in order to show how C simulates the (C, B) execution for C. First, we 
prove Eq. m by reducing C’s concurrent execution with A and B to a stand- 
alone two-party setting between C and B only. This reduction is obtained by 
giving the adversary C the polynomial Q. Now, C has A’s entire input and 
can perfectly emulate the (A, C) execution by itself. Formally, there exists an 
adversary C" , given auxiliary input Q, and interacting with B only, such that 
the following two equations hold: 

|w,Q(w),output(C"^^‘^^’'®*^“^)| = |w, Q(i(;),output(C"'®’'“'^(Q))| (2) 

|w, Q('u;),output(C'"^(‘^^’®<^’" ))| = |w, Q(u;),output(C"'®^"' ^(Q))| (3) 

where denotes a stand-alone execution of C" (given input Q) with B 

(who has input w). Machine C” works by playing A’s role in the {A, C)-execution 
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and forwarding all messages belonging to the (C, _B)-execution between C and B 
(notice that C” can play A’s role because it knows Q) . We therefore remain with 
a stand-alone setting between C" (given auxiliary input Q) and B, in which B 
inputs either w or w' into the polynomial evaluation. In this stand-alone setting, 
the security of the polynomial evaluation guarantees that C” can distinguish the 
input cases with at most negligible probability. That is, for every ppt adversary 
C”, it holds that 

|w,Q(w;),output(C'"^*'“^((5))| = |w,Q(w;),output(C'"^*'“ ^(Q))| (4) 

Eq. Q then follows by combining Equations (0), (H and 0. In summary, we 
have shown that even in our concurrent setting where C interacts with both A 
and B, the adversary C cannot distinguish the cases that B inputs w or w' . 

We are now ready to show how C works (recall that C interacts with A 
only and its aim is to simulate a concurrent execution with A and B for C). 
Machine C begins by selecting an arbitrary w' G T>. Then, C" perfectly emulates 
an execution of ^ by playing B’s role in the {C, B) execution and 

forwarding all messages belonging to the {A, C) execution between A and C 
{C can play B's role here because w' is known to it). By Eq. 0 we conclude 
that this emulation is computationally indistinguishable from a real execution 
of (74 (Q),b(i«)^ This completes the proof of the lemma. | 

(We remark that the proof of Lemma|S|is typical of many of our proofs. Our goal 
is to obtain a reduction from the concurrent setting to the stand-alone setting 
between A and C, and we obtain this reduction by simulating B. However, 
in order to show that this simulation is “good” we first reduce the concurrent 
setting to a stand-alone setting between C and B by simulating A.) 

It remains to show that C'’s view of its (stand-alone) interaction with A can be 
simulated and that in this interaction, C learn at most “e-information” about 
w and Q{w). Formally, 

Lemma 9 (simulating the (H, C") stand-alone execution): For every ppt ad- 
versary C interaeting with A, there exists a ppt maehine C {interaeting with 
nobody) sueh that for every dietionary T> C {0, 1}", 

|r(;, Q(w),output(C"'^*''^^)| = jw, t/„,output(C)| 

where w Gr T>, Q is a random linear polynomial and e = y^. 

Proof: The setting of this lemma is already that of standard two-party com- 
putation. Therefore, the security definition of two-party computation can be 
applied directly in order to prove the lemma. We sketch this more standard 
proof for the sake of completeness. We begin by showing that 

|w;, (5(w), output(C''"^^*^^)| = |w,I/„,output(C""^^'^^)| (5) 

In order to prove Eq. ( 0 , recall that the security of the polynomial evaluation 
implies that the receiver (here played by C) can learn nothing beyond the value 
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of Q{-) at a single point selected by C . We denote this point by wc- Then, in the 
case that wc yf the values Q{w) and C/„ are identically distributed (by the 
pairwise independence of random linear polynomials). That is, unless wc = w, 
machine C learns nothing of the value Q{w). However, since w is uniformly 
distributed in T>, the probability that wc = rc is at most e. This means that, 
given C’s view, Q(w) can be distinguished from Un with probability at most e. 

We are now ready to define the (non-interactive) machine C. Machine C 
works by first choosing a random linear polynomial Q. Next, C perfectly emulates 
(j/MQ) playing H’s role in the execution with C {C uses the polynomial Q as 
H’s input). Finally C outputs whatever C does. Since w and Un are independent 
of the polynomials Q and Q, it follows that 

jw, C/„,output(C"^^‘^^)| = |w,C/„,output(C')| (6) 

The lemma follows by combining Equations and @ . I 
Combining Lemmas El and El we obtain Theorem 0 | 

We reiterate that Theorem 0 relates only to the secrecy of the password w and 
value Q{w). Unlike Definition Q, it does not say anything about the outputs of 
the parties A and B. Furthermore, the model is significantly simplified by the 
fact that there is no public accept/reject bit output by the parties (as discussed 
in Section IT^ simulating this bit is the most involved part of our proof). Thus, 
unfortunately, the above proof is merely an illustration of some of our techniques 
used in proving Theorem El 
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Abstract. A fixed-pattern padding consists in concatenating to the 
message m a fixed pattern P. The RSA signature is then obtained 
by computing (P|m)'^ mod N where d is the private exponent and 
N the modulus. In Eurocrypt ’97, Girault and Misarsky showed that 
the size of P must be at least half the size of N (in other words the 
parameter configurations |P| < |A|/2 are insecure) but the security of 
RSA fixed-pattern padding remained unknown for |P| > |A|/2. In this 
paper we show that the size of P must be at least two-thirds of the size 
of N, i.e. we show that |P| < 2|A|/3 is insecure. 

Keywords: RSA signatures, fixed-pattern padding, affine redundancy. 



1 Introduction 



RSA was invented in 1977 by Rivest, Shamir and Adleman 0, and is now the 
most widely used public-key cryptosytem. RSA is commonly used for providing 
privacy and authenticity of digital data, and securing web traffic between servers 
and browsers. 

A very common practice for signing with RSA is to first hash the message, 
add some padding, and then raise the result to the power of the decryption 
exponent. This paradigm is the basis of numerous standards such as PKCS #1 

v2.0 0. 

In this paper, we consider RSA signatures with fixed-pattern padding, with- 
out using a hash function. To sign a message m, the signer concatenates a fixed 
padding P to the message, and the signature is obtained by computing: 

s = {P\m)‘^ mod N 



where d is the private exponent and N the modulus. 

More generally, we consider RSA signatures in which a simple affine redun- 
dancy is used. To sign a message m, the signer first computes: 



R{m) = u! ■ m + a where 



J w is the multiplicative redundancy 
{ a is the additive redundancy 



( 1 ) 
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|A|/3 


2|A|/3 






FF . . 


FF^g 


Message 



Fig. 1. Example of an RSA padding forgeable by De Jonge and Chaum’s method where 
oj = 1 and a = FF . . . FF 00 . . . 00;j^g 



|A|/2 


|A|/2 






FF 




fF^g 


Message 



Fig. 2. Example of an RSA padding forgeable by Girault and Misarsky’s method where 
oj = 1 and a = FF . . . FF 00 . . . 00;j^g 



The signature of m is then: 



s = R{m)‘^ mod N 

A left-padded redundancy scheme P\m is obtained by taking ui = 1 and a = P-2^, 
whereas a right-padding redundancy scheme m|P is obtained by taking to = 2^ 
and a = P. 

No proof of security is known for RSA signatures with affine redundancy, and 
several attacks on such formats have appeared (see ^ for a thorough survey) . At 
Crypto ’85, De Jonge and Chaum P exhibited a multiplicative attack against 
RSA signatures with affine redundancy, based on the extended Euclidean algo- 
rithm. Their attack applies when the multiplicative redundancy to is equal to 
one and the size of the message is at least two-thirds of the size of the RSA 
modulus N. 

2 

|message| x|A^I 

O 

For example, a signature can be forged if one uses the affine redundancy of figure 

III 

De Jonge and Chaum’s attack was extended by Girault and Misarsky 0 at 
Eurocrypt ’97, using Okamoto-Shiraishi’s algorithm j^, which is an extension 
of the extended Euclidean algorithm. They increased the field of application of 
multiplicative attacks on RSA signatures with affine redundancy as their attack 
applies to any value of to and a, when the size of the message is at least half the 
size of the modulus (refer to figure |2| for an illustration) : 

|message| ^l-^l 
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2\N\/3 


|A|/3 






FF 




fFie 


Message 



Fig. 3. Example of an RSA padding forgeable by our technique where the u) is equal 
to one and a = FF . . . FF 00 . . . 00;j^5 

Girault and Misarsky also extended the multiplicative attacks to RSA signa- 
tures with modular redundancy: 

R{m) = LUi ■ m + u>2 ■ {rn mod 6) -1- a ( 2 ) 

where oji , u)2 is the multiplicative redundancy, a is the additive redundancy and 
b is the modular redundancy. In this case, the size of the message must be at 
least half the size of the modulus plus the size of the modular redundancy. 

Finally, Girault and Misarsky’s attack was extended by Misarsky 0 at 
Grypto ’97 to a redundancy function in which the message m and the modular 
redundancy m mod b can be split into different parts, using the LLL algorithm 
P]. The attack applies when the size of the message is at least half the size of 
the modulus plus the size of the modular redundancy. 

In this paper, we extend Girault and Misarsky’s attack against RSA signa- 
tures with affine redundancy to messages of size as small as one third of the size 
of the modulus, as illustrated in figure 0 

|message| 

O 

As Girault and Misarsky’s attack, our attack applies for any w and a and runs 
in polynomial time. However, our attack is existential only, as we cannot choose 
the message the signature of which we forge, whereas Girault and Misarsky’s 
attack is selective: they can choose the message which signature is forged. 

2 The New Attack 

In this section we extend Girault and Misarsky’s multiplicative attack on RSA 
signatures with affine redundancy, to messages of size as small as one third of the 
size of N . A multiplicative attack is an attack in which the redundancy function 
of a message can be expressed as a multiplicative combination of the redundancy 
functions of other messages. So we look for four distinct messages mi, m2, m3 
and m4, each as small as one third of the size of the modulus, such that: 

R{mi) ■ R{m2) = Rims) ■ Rims) mod N ( 3 ) 

Then, using the signatures of m2, m3 and ms, one can forge the signature of mi 
by: 

R(vi Rirns)'^ ■ Rims)'^ 



mod N 
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From we obtain: 

(w • TOi + a) ■ {uj ■ 1712 + a) = {uj ■ m3 + o) • (w • m4 + a) mod N 
Denoting P = a / uj mod N, we obtain: 

{P + mi) • (P + m2) = {P + m3) • (P + m4) mod N 

and letting: 



t = rri3 y = m2 - m3 

X = mi — m3 z = mi — mi — m2 + m3 

we obtain: 

((P + t) + x) • ((P + t) +y) = {P + t) ■ ((P + t) +x + y + z) mod N 
which simplifies into: 



X ■ y = {P + t) ■ z mod N 



( 5 ) 



Our goal is consequently to find four integers x, y, z and t, each as small as one 
third of the size of N, satisfying equation ©• 

First, we obtain two integers z and u such that 



P ■ z = u mod N with 



f-lVs <z < Ni 
\0 < rt < 2 -iVi 



As noted in Pj, this is equivalent to finding a good approximation of the fraction 
P/N, and can be done efficiently by developing it in continued fractions, i.e. 
applying the extended Euclidean algorithm to P and N . A solution is found 
such that \z\ < Z and 0 <u<U if Z-U>N, which is the case here with 
Z = and U = 2 • iVs . 

We then select an integer y such that Ni < y < 2 ■ Ni and gcd(y, z) = 1 . 
We find the non-negative integer t < y such that: 



t ■ z = —u mod y 



which is possible since gcd(?/, z) = 1 . Then we take 



u + t-z 

X = 

y 



< 4iV5 



and obtain: 



P-z = u = x- y — t-z mod N 



which gives equation 0 , with X, y, z and t being all smaller than 4 • 3 . From 

X, y, z, t we derive using four messages mi, m2, m3 and mi, each of size one 
third the size of N: 



mi = X + t 
m3 = t 



m2 = y + t 

mi = x + y + z + t 



( 6 ) 
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Since —N^/^ < z < and y > we have y + z > Q, which gives using 

u > 0 : 

x + t= " + *-(=' + ") >0 

y 

which shows that the four integers mi, m 2 , m 3 and m 3 are non-negative, and 
we have 

i?(mi) • R{m 2 ) = R{ms) ■ R{m 4 ) mod N 

The complexity of our attack is polynomial in the size of N. In the appendix 
we give an example of such a forgery computed using RSA Laboratories’ official 
1024-bits challenge-modulus RSA-309. 

3 Extension to Selective Forgery 

The attack of the previous section is only existential: we can not choose the 
message to be forged. In this section we show how we can make the forgery 
selective, but in this case the attack is no longer polynomial. Let m 3 be the 
message which signature must be forged. Letting a;, y, z and t as in @ , we 
compute two integers z and u such that 

f — /Vs <'z<' /Vs 

(P + t) ■ z = u mod N with < 2 

\0 < u < 2 ■ Na 

We then factor u, and try to write u as the product x ■ y of two integers of 
roughly the same size, so that eventually we have four integers x, y, z, t of size 
roughly one third of the size of the modulus, with: 

X ■ y = {P + t) ■ z mod N 



which gives again 



R{mi) ■ R{m 2 ) = Rims) ■ Rims) mod N 

The signature of m 3 can now be forged using the signatures of mi, m 2 and 
m 4 . For a 512-bit modulus the selective forgery attack is truly practical. For a 
1024-bit modulus the attack is more demanding but was still implemented with 
success. 

4 Conclusion 

We have extended Girault and Misarsky’s attack on RSA signatures with affine 
redundancy: we described a chosen message attack against RSA signatures with 
affine redundancy for messages as small as one third of the size of the modulus. 
Consequently, when using a fixed padding P|m or m|P, the size of P must be 
at least two-thirds of the size of N. Our attack is polynomial in the length of 
the modulus. It remains an open problem to extend this attack to even smaller 
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messages (or, equivalently, to bigger fixed-pattern constants): we do not know if 
there exists a polynomial time attack against RSA signatures with affine redun- 
dancy for messages shorter than one third of the size of the modulus. However, 
we think that exploring to what extent affine padding is malleable increases our 
understanding of RSA’s properties and limitations. 

Acknowledgements. We would like to thank Christophe Tymen, Pascal Pail- 
lier, Helena Handschuh and Alexey Kirichenko for helpful discussions and the 
anonymous referees for their constructive comments. 
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We describe a practical forgery with w = 1 and a = 2^°^^ — 2^®^, the modulus N 
being RSA Laboratories official challenge RSA-309, which factorisation is still 
unknown. 
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N = RSA -309 

= bddl4965 645e9e42 e7f658c6 f c3e4c73 c69dc246 451c714e bl82305b 0fd6ed47 
d84bc9a6 10172fb5 6dae2f89 fa40e7c9 521ec3f9 7eal2ff7 c3248181 ceba33b5 
5212378b 579ae662 7bcc0821 30955234 e5b26a3e 425bcl25 4326173d 5f4e25a6 
d2el72fe 62d81ced 2c9f362b 982f3065 0881ce46 b7d52f 14 885eecf9 03076ca5 



7fffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff 
ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff 
ffffffff ffffffff ffffffff ffffffff ffffffff 00415df4 ca4219b6 ea5fa8e4 
e2eabcf c 61348b80 e7ccbac7 3dlf5cc7 249el519 9412886a f76220c6 dl409cd6 
7fffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff 
ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff 
ffffffff ffffffff ffffffff ffffffff ffffffff 00127f44 f 753253a a0348be7 
826e893f 693032db c2194dbb 3b81elc2 630b66d3 1448a3f4 7fd2d34f b28aefd6 
7fffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff 
ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff 
ffffffff ffffffff ffffffff ffffffff ffffffff 00781bd4 e0c918a7 308fcff7 
8f64044c a35b4937 36cd37d7 93f281b5 fdd0a951 52a0479b 57dd73b2 25b6df85 
7fffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff 
ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff 
ffffffff ffffffff ffffffff ffffffff ffffffff 000919fd 86e5afce 7fcllc94 
0e0827c8 03be05bb 71f8de48 c61d6d5f 0feb036d alff2f8b 5f596108 3dl42538 

We obtain: 

R{mi) • R{m2) = R{ms) • R{rri4) mod N 

where messages mi, m2, m3 and rri4 are as small as one third of the size of the 
modulus. 



R[mi) = 



R{m2) = 



R{m^) = 



R{m4) = 
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Abstract. The shrinking generator is a well-known keystream genera- 
tor composed of two linear feedback shift registers, LFSRi and LFSR 2 , 
where LFSRi is clock-controlled according to regularly clocked LFSR 2 . 
A probabilistic analysis of the shrinking generator which shows that this 
generator can be vulnerable to a specific fast correlation attack is con- 
ducted. The first stage of the attack is based on a recursive computation 
of the posterior probabilites of individual bits of the regularly clocked 
LFSRi sequence when conditioned on a given segment of the keystream 
sequence. Theoretical analysis shows that these probabilities are signifi- 
cantly different from one half and can hence be used for reconstructing 
the initial state of LFSRi by iterative probabilistic decoding algorithms 
for fast correlation attacks on regularly clocked LFSR’s. In the second 
stage of the attack, the initial state of LFSR 2 is reconstructed in a similar 
way, which is based on a recursive computation of the posterior proba- 
bilites of individual bits of the LFSR 2 sequence when conditioned on the 
keystream sequence and on the reconstructed LFSRi sequence. 

Keywords. Stream ciphers, unconstrained irregular clocking, posterior 
probabilities, fast correlation attacks. 



1 Introduction 

The shrinking generator 0 is a well-known keystream generator for stream ci- 
pher applications. It consists of only two linear feedback shift registers (LFSR’s). 
The clock-controlled LFSR, LFSRi, is irregularly clocked according to the clock- 
control LFSR, LFSR 2 , which is regularly clocked. More precisely, at each time, 
both LFSR’s are clocked once and the bit produced by LFSRi is taken as the 
output bit if the clock-control bit produced by LFSR 2 is equal to 1. Otherwise, 
the output bit is not produced. The output sequence is thus a nonuniformly dec- 
imated LFSRi sequence. It is recommended in [H that the LFSR initial states 
and the feedback polynomials be defined by the secret key. Under certain condi- 
tions, the output sequences possess a long period, a high linear complexity, and 
good statistical properties. 

As pointed out in 3' basic divide-and-conquer attack on the shrinking 
generator is the linear consistency attack (HI on LFSR 2 which requires the ex- 
haustive search through all possible initial states and feedback polynomials of 

J. Kilian (Ed.): CRYPTO 2001, LNCS 2139, pp. 44o W?l 2001. 
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LFSR2. On the other hand, a probabilistic correlation attack targeting LFSRi 
which requires the exhaustive search through all possible initial states and feed- 
back polynomials of LFSRi is proposed in 0 and analyzed by computer sim- 
ulations in [SI A reduced complexity method based on searching for specific 
subsequences of the output sequence is suggested in P, but both the complex- 
ity and the required keystream segment length are exponential in the length of 
LFSRi. 

It is shown in P that the output sequence may have a detectable linear sta- 
tistical weakness if the feedback polynomial of LFSRi has low- weight polynomial 
multiples of moderately large degrees. It is suggested in P that this weakness 
may even be used for recovering the LFSRi feedback polynomial. A theoretical 
framework for a fast correlation attack targeting the initial state of LFSRi is 
also proposed in p|, but the attack is not implemented as it requires a search 
for specific polynomial multiples of the LFSRi feedback polynomial. 

The objective of this paper is to investigate if the initial states of LFSRi 
and LFSR 2 can be reconstructed by an algorithm that would not require the 
exhaustive search through all possible initial states and whose complexity can 
be sufficiently small even for large LFSR lengths. The LFSR feedback polyno- 
mials are assumed to be known. The basic point of our approach is to consider 
the posterior probabilites of individual bits of the regularly clocked LFSRi se- 
quence when conditioned on a given segment of the keystream sequence. In the 
probabilistic model where the LFSR sequences are assumed to be independent 
and purely random^ a recursion and an explicit expression for computing these 
probabilities with complexity quadratic in the keystream segment length are 
both derived. A theoretical analysis shows that the computed posterior proba- 
bilities can be significantly different from one half for a purely random output 
sequence. In a more general probabilistic model, in which the LFSRi sequence is 
assumed to be a sequence of independent, not necessarily uniformly distributed, 
binary random variables, it is proved that the posterior probabilities can be 
recursively computed with complexity cubic in the keystream segment length. 

Accordingly, as these probabilities represent soft- valued estimates of the cor- 
responding bits of the regularly clocked LFSRi sequence, they can be used in an 
iterative probabilistic decoding algorithm for fast correlation attacks on regularly 
clocked LFSR’s (e.g., see m P2I, and |B|). It is known that the complexity of 
such an algorithm primarily depends on the degrees and numbers of low- weight 
polynomial multiples of the feedback polynomial of LFSRi which, according 
to Unj, ID, and may also contain an additional number of concentrated 
nonzero terms. The initial state of LFSRi can thus be recovered. A more sophis- 
ticated method in which the posterior probabilities are iteratively updated by 
intertwining the probabilistic decoding with the recursive computation is also 
introduced. 

In addition, a composite method that effectively enhances the posterior prob- 
abilities for longer keysteam segments is proposed. Essentially, it consists in 



^ A sequence of independent uniformly distributed random variables over a finite set 
is called purely random. 
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dividing a longer keystream segment into subsegments of equal length, in com- 
puting the posterior probabilities for the subsegments, and then in combining 
these posterior probabilities appropriately. 

If the posterior probabilities corresponding to a given keystream sequence are 
not sufficiently different from one half, they can be computed for subsequences 
of the keystream sequence obtained by discarding the initial segment of variable 
length until the significant posterior probabilities are obtained. This will improve 
the performance of the fast correlation attacks explained above, but the length 
of the initial LFSRi segment has to be guessed. For the initial output segment of 
length j — 1, one has to make 0{y/^) guesses around the expected value 2j — 1. 
Moreover, one can thus also search for the outstanding posterior probabilities 
and then apply an information set decoding algorithm to recover the LFSRi 
initial state. The success of such an algorithm is independent of the LFSRi 
feedback polynomial, but the achievable complexity is still exponential in the 
length of LFSRi • This improves the reduced complexity method |2j . 

The second point of our approach is to consider the posterior probabilites 
of individual bits of the regularly clocked LFSR 2 sequence when conditioned 
on a given segment of the keystream sequence and on the reconstructed LFSRi 
sequence, as suggested in jSj. It is proved that these probabilities can be recur- 
sively computed with complexity cubic in the keystream segment length, thus 
showing that the expression given in jO] is incorrect. As the LFSRi sequence 
is assumed to be known, the computed posterior probabilities are more distin- 
guished from one half than in the case of LFSRi • This makes the reconstruction 
much easier. Consequently, the initial state of LFSR 2 can be recovered either 
by an iterative probabilistic decoding algorithm or by a simple information set 
decoding algorithm using a subset of the probabilities close to zero or one. 

Section El contains an overview of known results concerning the posterior 
probabilities of blocks of LFSRi bits. The results regarding the posterior prob- 
abilities of individual LFSRi and LFSR 2 bits are presented in Sections 0 and E] 
respectively. These posterior probabilities are theoretically analyzed in Section 
ISl The combined fast correlation attacks are proposed in Section 0 and conclu- 
sions are given in Section 0 Proofs of two underlying theorems are presented in 
Appendices El and IH 

2 Posterior Probabilities of Blocks of LFSRi Bits 

We use the notation A = oi, 02 , . . . for a binary sequence. A/, for its subsequence 
Ofe, Ofe+i, . . ., A" for its prefix (ai)"^i = oi, 02 , . . . a„, and A^ for its subsequence 
(oj)r=fc = Ofc+i, . . . , a„. If its length is finite, then A is called a string. Let 
w{A) and d{A) denote the numbers of I’s and O’s in A, respectively. For sim- 
plicity, we keep the same notation for random variables and their values. 

Let X, C, and Y denote the output sequences of LFSRi, LFSR 2 , and the 
shrinking generator itself, respectively. In a general model, let X and C be 
arbitrary binary sequences. Then Y is obtained from X by the nonuniform deci- 
mation according to C, that is, a bit Xi is deleted from X iff ci = 0. Accordingly, 
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F is a function of X and C, Y = F{X, C), where the length of Y may be finite 
and is equal to w{C). Thus F" is a function of X and C, F" = F”(X, C), for 
any 1 < n < w{C). If w{C) = 0, then F is not produced. If w(C^) = ^ > 1 and 
Cn = 1, then yi = Xn- It follows that j/„ is a function of Xn and C, fn(Xn, C). 

We assume a probabilistic model where X and C are independent and purely 
random binary sequences. It then follows that the output sequence F is also 
purely random. We are first interested in deriving the posterior probability 
Pr{AT" I F} which is in this model equal to Pr{X" | F"}. To this end, ac- 
cording to define the following conditional probability for prefixes of X and 
F 

Q{e,s) Pr{F",d(C"+") = e | X"+*}. (1) 

It is in fact the probability that F® is obtained by deleting e bits from a given 
string The permissible values of s and e are 0 < s < n and 0 < e < n — s, 

where F° denotes an empty set and, formally, Q(0;0) = 1- This probability can 
be computed recursively by 

Q(e,s) = ^Q(e-l,s) + ^ S(xe+s,ys) Q(e, s - 1) (2) 

where the terms on the right-hand side corresponding to unpermissible values 
of e or s (i.e., for e = 0 or s = 0) are assumed to be equal to zero (see 0 and 
Appendix^. Here, S{i,j) or dij is the Kronecker symbol, i.e., S{i,j) = I'lii = j 
and 5{i,j) = 0 if i yf j. 

Consequently, we have 

n 

Pr{F" I X”} = ^Pr{F”,d(C”) = e | X"} 

e^O 

n 

= Y, Pr{F„"_,+i I F"-^ d{Cn = e, X^} Q(e, n - e) 

e^O 

n 

= ^2-'=Q(e,n-e) (3) 

e=0 

in view of the fact that, on the condition that d{C^) = e, the string Y^_^_^_i is 
obtained by decimating X„+i according to C„+i, where Xn+i E^nd Cn+i remain 
to be mutually independent and purely random (even when conditioned on X" 
and F"“®). Therefore, under the given conditions, remains to be uni- 

formly distributed. Further, as X" and F" are both uniformly distributed, we 
have 

n 

Pr{X”|F”} = Pr{F"|X”} = ^ 2-*= Q(e, n - e) (4) 

e=0 

which is computed in 0{n^) time and 0{n) space. The probability (0J can be 
found in jOI, and also corresponds to the probability derived in |Hj for the alter- 
nating step generator, because the nonuniform decimation of a purely random 
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sequence can be regarded as the inverse operation to the nonuniform interleaving 
of two purely random sequences which is inherent to this generator. 

For ease of computation, one can introduce N{e,s) = Q(e, s) which 
represents the number of clock-control strings that result in F® from a 

given These integers can be computed by the recursion 

N{e,s) = N{e-l,s) + S{xe+s,ys) N{e,s - 1). (5) 



Then 



Pr{dr" |y”} = 2-’" ^2-®iV(e,n-e). (6) 

e=0 

It is proposed in P] to use the probability Q{m — n,n), where m Ri 2n, in 
order to reconstruct the LFSRi initial state from a given keystream segment 
F". This probability is computed in 0{n{m — n)) = 0{n?) time. Statistical 
experiments from PS] show that n ~ 20ri is sufficient for a successful recon- 
struction H Here, Q{m — n,n) is used as a measure of correlation between F" 
and df™, where is produced from an assumed LFSRi initial state. It would 
be interesting to compare Q{m — n, n) with the posterior probability 0) with 
respect to the minimum keystream segment length and the complexity required. 
However, the exhaustive search over all possible LFSRi initial states is required 
for both measures. It is worth mentioning that a conclusion from P] that the 
required n is independent of ri is incorrect, because, according to the deletion 
channel capacity argument, n must be linear in ri (see P| and PSl). 



3 Posterior Probabilities of Individual LFSRi Bits 

In this section, the posterior probabilities of individual bits of the regularly 
clocked LFSRi sequence when conditioned on a given segment of the keystream 
sequence are introduced. In Section It. II it is shown that these probabilities can 
be computed recursively in a probabilistic model in which the LFSR 2 sequence is 
assumed to be purely random, the LFSRi sequence is assumed to be a sequence 
of independent binary random variables, and both sequences are assumed to 
be mutually independent. This general model is relevant for a fast correlation 
attack on LFSRi in which the posterior probabilities are iteratively updated by 
intertwining the recursive computation with a probabilistic decoding algorithm 
used in fast correlation attacks on regularly clocked LFSR’s. In Section 10 a 
special case of this model in which the LFSRi sequence is assumed to be purely 
random is considered. This case is especially relevant for a fast correlation attack 
on LFSRi in which the posterior probabilities recursively computed in the first 
stage are then processed by an iterative probabilistic decoding algorithm in the 
second stage. 

The length of LFSRi is denoted as ri, i = 1, 2. 
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3.1 General Probabilistic Model 



Generalize the probabilistic model from Section|2|in such a way that a prefix of X 
need not be purely random. More precisely, let X be a sequence of independent 
binary random variables (bits) such that Prjxi = 1} = Pi for 1 < * < n and 
Prjxi = 1} = 0.5 for i > n, where n is a given positive integer. Our objective here 
is to determine the posterior probabilities pi = Prjxi = 1 | 1"”} for 1 < j < n. 
It follows that 



Pi = Pi 



Pr{F" \xi = l} 

Pr{yn} 



(7) 



The problem is how to compute the probabilities Pr{P" \ Xi = 1} and 
Pr{yn} efficiently. To this end, introduce the following partial probabilities, for 
prefixes of Y, 



,s) Pr{r^d(C^+«) = e|x, = l} 


(8) 


P(e,s) '^= Pr{F",d(C^+") =e} 


(9) 



for 0 < s < n and 0 < e < n — s, where formally P{0, 0) = 1 and Pi{0, 0) = 1. 

The following theorem, proved in Appendix^ shows that the partial proba- 
bilities can be computed recursively and then used to obtain the desired posterior 
probabilities by (Q- 

Theorem 1. For any given T" and each 1 < i < n, we have 



Pi = Pi 



Ee=p2 ^P,(e,ri.-e) 
e) 



( 10 ) 



where the partial prohahilities are determined recursively by 
Pz{e,s) = l,s) 

A 2 T (1 6i^e-\-s'){ysPe+s T (1 ys)(l Pe-i-s))) Pi{c^ S 1) 

( 11 ) 



7’(e, ^ - 1. s) + ^ iysPe+s + (1 - ys)(l - Pe+s)) P(e, s - 1) (12) 

for 0<s<n, 0<e<n — s, and (e, s) yf (0,0), from the initial values 
Pi(0,0) = P(0, 0) = 1. ('The terms on the right-hand sides of these equations 
corresponding to unpermissible values of e or s, i.e., for e = 0 or s = 0, are 
assumed to be equal to zero.) 

The time and space complexities of the corresponding algorithm are clearly 
0{n^) and 0{n), respectively. The algorithm may thus be feasible even if n 
is large. For computational convenience, the multiplicative factor 0.5 can be 
removed from the recursions without affecting the values of the posterior proba- 
bilities. The time complexity can be reduced to 0{nf-Jn) if Pi{e, s) and P{e, s) 
are computed approximately, only for O(v^) values of e around s. 
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3.2 Purely Random String Probabilistic Model 

Consider now the model in which X is a purely random sequence. It is a particu- 
lar instance of the general model from Section f3. Il in which pi = 0.5, 1 < j < n. In 
this model, the recursion (I I 21) can be explicitly solved as P{e, s) = 
so that Pr{y"} = 2“", as to be expected. Accordingly, the posterior probabili- 
ties can be computed by the following corollary to Theorem Q1 

Corollary 1. If X is purely random, then for any given Y" and each 1 < z < n, 
we have 

n 

K ^2-"P,(e,n-e) (13) 

e^O 

where the partial probability is determined recursively by 

V{e, s) = i P,(e - 1, s) -f i (1 + - 1)) P,(e, s - 1) (14) 

for 0<s<n, 0<e<n — s, and (e,s) ^ (0,0), from the initial value 
P,(0,0) = 1. 

Further simplification and an explicit expression can be obtained by using 
the fact that X is purely random. Namely, in a similar way as (El) in Appendix 
we obtain 

i 

Pr{y" \xi = l} = ^Pr{y",d(C*) = e\xi = l} 

e^O 

i 

= ^Pr{y,!l,+l,F*-^d(C'*) = e\xi = l} 

e^O 

i 

= ^Pr{y,Vi I F*-^d(C*) = e,Xi = l}P.(e,z - e) 

e^O 

i 

= 2 -("-b ^ 2-^ P,(e, i - e) = 2-(""0 Pr{F* | Xi = 1}. 

e^O 

(15) 



As a consequence, we have 



Pr{x, = 1 I F"} 



Pr{xi = 1 I Y^}. 



(16) 



Also, it follows that 

Pj(e,i-e) = ^P(e-l,i-e) -I- ^ y^_e P(e, f - e - 1) (17) 

where P{e,s) = M{e,s), M{e,s) = and the binomial coefficients 

can be computed recursively by 



M{e,s) = M(e— l,s) -I- M(e, s— 1) 



(18) 



Correlation Analysis of the Shrinking Generator 



447 



forO<s<n — 1, 0<e<n— 1 — s, and (e, s) ^ (0, 0), from the initial value 
M(0,0) = 1. Then (H3J and (tTTIi imply that 



= 




(19) 



Finally, we obtain the following theorem. 

Theorem 2. If X is purely random, then for any given T" and each 1 < i < n, 
we have 



P^ = 1(1 + 



i-1 

E 

e=0 



i — 1 
e 



Ui-e 



( 20 ) 



The time and space complexities of the algorithm corresponding to Theorem 
Hare 0{n^) and 0{n), respectively, where the binomial coefficients can be re- 
cursively precomputed in O(n^) time by using (1 1 Sll . However, (121 )|l shows that pi 
can be numerically approximated with an arbitrarily small error by using only 
0{y/i — 1/2) values of e around {i — l)/2. This reduces the time complexity to 
o[ny/n). 

The following immediate corollary to Theorem |2 shows that the posterior 
probabilities cannot approach 0 or 1. 



Corollary 2. If X is purely random, then for any given Y" and each 1 < i < n, 
we have 



1 

4 



< P. < 4 



( 21 ) 



where the lower and upper bounds are achieved if and only if T® consists of all 
0 ’s and of all 1 ’s, respectively. 



4 Posterior Probabilities of Individual LFSR 2 Bits 



In this section, it is shown that the posterior probabilities of individual bits of 
the regularly clocked LFSR 2 sequence when conditioned on a given segment of 
the keystream sequence and on a segment of the reconstructed LFSRi sequence 
can be computed recursively with complexity cubic in the segment length. 

Assuming that X and C are independent and purely random, our objective is 
to determine the posterior probabilities qi = Pr{ci = 1 | F", A"} for 1 < i < n. 
It follows that 



1 Pr{F" I a = 1,A”} 

2 Pr{F" I A"} 



( 22 ) 



In Section H it is shown that Pr{F" | A"} can be computed recursively. The 
problem is how to compute Pr{F" | Ci = 1,A"} efficiently. Similarly to Q, 
define the following conditional probability for prefixes of A and Y 



Q,(e,s) ^ Pr{y^d(C^+*) = e|c, = 1,A'=+^} 



for 0 < s < n and 0 < e < n — s, with Qi(0, 0) = 1. 



( 23 ) 
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The following theorem, proved in Appendix ^ shows that this probabil- 
ity can be computed recursively and then used to obtain the desired posterior 
probabilities by This theorem shows that the expression for the posterior 
probabilities given in 0 is incorrect, not only in general, but also in a special 
case of the probabilities Pr{cj = 1 | T*, A*}. 

Theorem 3. For any given T" and A" and each 1 < i < n, we have 



Qi 



1 ^Qz(e,n-e) 

2 ELo2"®Q(e,n- e) 



(24) 



where Q{e,s) and Qi{e,s), respectively, are determined recursively hy Q and hy 






2 ^z,e-t-s) Qi{F T 2 *^i,e+s) *^(^e+sj Vs) ^ 1) 

(25) 



for 0<s<n, 0<e<n — s, and (e, s) yf (0,0), from the initial value 

Q.(0,0) = 1. 

The time and space complexities of the corresponding algorithm are clearly 
0{n^) and 0{n), respectively. For ease of computation, one can introduce the 
integers Ni{e, s) = 2®+'* Qi{e, s) which can be computed by the recursion 

Aft(e, s') — (1 Jj^e-t-s) A^z(c 1; - 5 ) T (It ^e,j+s) ^(^e-t-s, ds) Aj(c, S 1). 

(26) 



Then 



2 E"=o2"®^(e,n- e) 



(27) 



where the integers A(e, s) satisfy the recursion (0. The time complexity can be 
reduced to Oirif^Jn) if Ni{e,s) and A(e, s) are computed approximately, only 
for 0{V^) values of e around s. 



5 Analysis of Posterior Probabilities 

The posterior probabilities of individual LFSRi bits computed according to The- 
orem 0 may be useful for reconstructing the unknown LFSRi sequence from a 
known segment of the output sequence if they are sufficiently different from one 
half. According to Theorem 0 and Corollary 0 the posterior probability pi will 
be close to 1/4 (3/4) if there is an output segment of length relatively close 
to y/i — 1/2 around the position (j — l)/2 in the output string such that the 
relative number of O’s (I’s) on this segment is considerably different from one 
half. More generally, if is relatively unbalanced, that is, if the relative number 
of O’s in is considerably different from one half, then most of the posterior 
probabilities of bits in A^l will be significant. 
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As Pi depends on the output string y®, it is interesting to analyze the average 
value of the absolute difference \ Api\ = \pi — 0.5| over purely random . In view 
of (EHll . we get 



2 (28) 
e=0 ^ 

Exact analysis of (I2S|I appears to be difficult. However, the following approximate 
analysis establishes that \Api\ is significantly different from zero for a uniformly 
distributed Eh 

The analysis is based on approximating a binomial distribution B(n, 0.5) by a 
uniform distribution, with the same expected value and standard deviation, over 
a segment of length \/3n centered around 0.5n. Consequently, let I{i) denote a 
segment of length m{i) ~ -\/3(i — 1) centered around 0.5(f+l). Then reduces 
to 

1^*1 ^ I E (W - »-5)l 

~ X |toi(z) - 0.5m(f)| (29) 

2 m{i) 



where mi(i) is the number of I’s in E* on the segment /(*). Now, as mi(i) is 
binomially distributed, we further get the following average values over E* 



\mi{i) - 0.5m(f)|av 




(30) 



I Api I av 



1 1 
2\/27r 

1 1 
2\/27r\/3 - 1 



0.1515 



(31) 



Except maybe for the multiplicative constant, the approximation is very good 
for i > 100. Thus, as i increases, it turns out that |Z\pi|av decreases approxi- 
mately like 0.1515/v^. The decrease is to be expected, because of a loss of 
synchronization between the original and the decimated sequence. However, it 
may be surprising that the decrease is very slow, so that the posterior probabil- 
ities remain significant even for relatively large values of i. For example, |Z\pi|av 
is approximately 0.01515 for i = 10000 and 0.01 for i = 50000. 

The posterior probabilities of individual LFSR 2 bits computed according 
to Theorem 0 depend on both the output sequence and on the reconstructed 
LFSRi sequence. They are harder to analyze theoretically, but should be much 
more different from one half than the posterior probabilities of individual LFSRi 
bits, because the LFSRi sequence is assumed to be known. They can be used 
for reconstructing the unknown LFSR 2 sequence from a known segment of the 
output sequence and a segment of the reconstructed LFSRi sequence. 
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6 Combined Fast Correlation Attacks 

It is assumed that the LFSR feedback polynomials and a sufficiently long segment 
of the keystream sequence, in the known-plaintext scenario, are known. The 
objective of cryptanalysis is to reconstruct the secret-key-dependent initial states 
of LFSRi and LFSR 2 by an algorithm whose complexity can be relatively small 
even for large LFSR lengths. 

6.1 Basic Attack on LFSRi 

Let be a given segment of the keystream sequence and let A" be the cor- 
responding segment of the regularly clocked output sequence of LFSRi whose 
initial state is to be recovered. The basic attack on LFSRi consists of two stages. 

In the first stage, compute the posterior probabilities of individual bits of A” 
by using the probabilistic model in which the input strings are assumed to be 
purely random. This is achieved in 0{riy/n) time by applying Theorem 0 from 
Section The obtained sequence of posterior probabilities, (A)iLij is a soft- 
valued estimate of A”. A hard estimate. A" = (aii)r=iJ of A” can be obtained 
by applying the maximum posterior probability decision rule for individual bits, 
i.e., Xi = 1 if Pi > 0.5 and Xi = 0 otherwise. Therefore 

Pi{xi^Xi\Y"} = min (A, 1- A)- (32) 

The correlation coefficient between Xi and Xt, conditioned on A*, is then 

c, = 1 -2Pr{xi ^ X, I Y^} = |1 - 2A|. (33) 

The analysis conducted in Section|3 shows that the expected value of Cj over A® 
slowly decreases approximately like 0.303/v^ as i increases. So, it remains to be 
significantly large even for relatively large i such as i = 10000. 

In the second stage. A” is reconstructed from (A)iLi by using the LFSRi 
linear recursion. Equation means that A" can be modeled as a noisy out- 
put of a time- varying binary symmetric channel when A" is applied to its input, 
where the errors are approximately independent. As A" is a codeword of the 
corresponding (truncated cyclic) linear block code, the problem of reconstructing 
A" is thus essentially a decoding problem. It can be solved by using parity-check 
based iterative probabilistic decoding algorithms for fast correlation attacks on 
regularly clocked LFSR’s (e.g., see m], H2i, and |S|). The time- variant correla- 
tion coefficient should improve the performance of these attacks. 

It is known that the complexity of fast correlation attacks on a regularly 
clocked LFSR and the required output string length n mainly depend on the 
magnitude of the correlation coefficient and on the degrees and numbers of low- 
weight polynomial multiples of the LFSR feedback polynomial (e.g., see 
13, and [B|)- Successful fast correlation attacks are reported in [5|, for random 
feedback polynomials, and in cni, for low-weight feedback polynomials, for the 
correlation coefficients as small as 2/15 and 1/16, respectively. For the shrinking 
generator, according to Sectional the expected value of the correlation coefficient 
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Ci is considerably different from zero even if i is relatively large. For example, 
this expected value is approximately equal to 1/10, 1/20, 1/35, and 1/50 for 
i = 100, 1000, 10000, and 50000, respectively. 

Since the expected value of ci slowly decreases as % increases, it is of interest 
to keep n reasonably small. To this end, the so-called parity checks with memory 
pnj (also see |7| ) or the parity checks sharing a given number of bits in common 
m may be utilized. In conclusion, the second stage of the basic fast correlation 
attack on the shrinking generator may be successful for a large class of LFSRi 
feedback polynomials. 

If an information set decoding (e.g., error-free sliding window) technique is 
applied at the end, then the reconstructed string X" will satisfy the LFSRi re- 
cursion, but should be tested for correlation with X". Alternatively, one may use 
the posterior probability 0) of blocks of LFSRi bits as a measure of correlation. 

6.2 Iterative Attack on LFSRi 

The iterative probabilistic decoding algorithms in the second stage of the basic 
attack from Sectiou fti. Il iterativelv update the posterior probabilities of individual 
bits of X”. Therefore, the basic attack can be (considerably) improved if the 
first stage of the attack is incorporated in iterations of the iterative probabilistic 
decoding algorithm chosen. For example, we propose an iterative attack whose 
first iteration coincides with the basic attack and every subsequent iteration 
consists of two stages. First, update the posterior probabilities of individual 
bits of X" by Theorem d from Section 1,4. II where the posterior probabilities 
from the preceding iteration are used as the prior probabilities. Second, update 
the posterior probabilities of individual bits of X” by applying the iterative 
probabilistic decoding algorithm. 



6.3 Composite Attack on LFSRi 

As the posterior probabability pi slowly approaches one half as i increases, it 
makes sense to divide a longer keystream segment into subsegments of equal 
length, to compute the posterior probabilities for the subsegments, and then to 
combine these posterior probabilities appropriately. 

To this end, consider m overlapping output subsegments 0 < 

j < TO — 1, where Tj Ri ^/2(j~+T)n, 0 < j < to — 2, and t^-i = 0. Compute 
2n + Tj posterior probabilities for the corresponding LFSRi segment X-^_,_^ R 
for each 0 < j < m — 1. Here, io = 0 and for j > 0, ij is unknown, but is 
expected to be around 2jn+l within an interval of length proportional to \/2jn. 
So, a segment of 2ran posterior probabilities can be composed by guessing ij, 
1 < J < TO — 1, and by taking the posterior probabilities more different from one 
half for the overlapping parts of the LFSRi subsegments. Additional Tj bits for 
the j-th subsegment serve to fill in a possible gap between the j-th and (/ -|- l)-th 
subsegments. As pi slowly changes with i, the method is not sensitive to to — 1 
guesses of unknown positions ij. 
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Finally, a fast correlation attack is run by using the composed segment of 
2mn consecutive posterior probabilities. It has to be run for each of about 
guesses. For example, n < 20000 and m < 5 are real- 
istic choices of the parameters. 



6.4 Subsequence Attack on LFSRi 

Suppose that the posterior probabilities corresponding to a given keystream 
segment F" are not sufficiently different from one half, because the length n 
required for the success of fast correlation attacks explained above is too large. 
One can then compute the posterior probabilities for a number of subsequences 
of the keystream sequence obtained by discarding the initial segment of vari- 
able length until more significant posterior probabilities are obtained. This will 
improve the performance of the fast correlation attacks, but the length of the 
initial LFSRi segment has to be guessed. More precisely, if a segment 
of the LFSRi sequence is reconstructed from the output segment one 

has to make 0{y/^) guesses around the expected value 2j in order to find the 
unknown initial position j' . The number of tested subsequences is j/S if one 
skips (5—1 output bits at a time. Testing can be simplified by searching for 
relatively unbalanced output subsequences instead of the significant posterior 
probabilities. 

In particular, one can also search for about ri, not necessarily consecutive, 
outstanding posterior probabilities (close to 1/4 or 3/4) and then apply an in- 
formation set decoding algorithm to recover the LFSRi initial state, where the 
posterior probability 0 of blocks of LFSRi bits is used as a measure of cor- 
relation. The success of such an algorithm is independent of the LFSRi feed- 
back polynomial, but, according to the information set decoding arguments, the 
achievable complexity cannot be smaller than about corresponding steps. 

This improves the reduced complexity method |2| based on specific subsequences 
of the output sequence. Namely, as the class of usable subsequences is effectively 
enlarged, the required keystream segment length, around , can be consider- 
ably reduced. The expression given in is approximative, whereas the accurate 
expression for the posterior probabilities is provided by Theorem 0 Moreover, 
the need for guessing the length of the initial LFSRi segment is overlooked in 
0 . 



6.5 Reinitialization Attack on LFSRi 

Suppose that for resynchronization purposes the shrinking generator is reinitial- 
ized by bitwise addition of a reinitialization vector to the secret-key-controlled 
LFSR initial states, in view of the fact that the nonlinear next-state function 
prevents the resynchronization attack |2). The posterior probabilities of individ- 
ual LFSRi bits produced from the secret-key-controlled initial state can then be 
computed for different initialization vectors and all combined into values more 
different from one half, so that the corresponding fast correlation attack is easier. 
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6.6 Attack on LFSR 2 

After reconstructing a candidate initial state of LFSRi , the initial state of LFSR 2 
can be recovered by computing the posterior probabilities of individual LFSR 2 
bits by Theorem 0 from Section 0 More precisely, the posterior probabilities 
of individual bits of (7™ are computed in 0{rn^\/m) time from given M"* and 
reconstructed A™, m < n. Here, C™ is the corresponding segment of the reg- 
ularly clocked output sequence of LFSR 2 whose initial state is to be recovered. 
As A™ is assumed to be known, the obtained posterior probabilities are much 
more distinguished from one half than in the case of LFSRi . The reconstruction 
problem is then much easier and m can be much smaller than n. The posterior 
probabilities can be further enhanced by the reinitialization method described 
in Section 16.51 Accordingly, the initial state of LFSR 2 can be reconstructed by 
iterative probabilistic decoding algorithms in the same way as in the basic at- 
tack on LFSRi explained in Section HTTl Moreover, as the posterior probabilities 
can be close to 0 or 1, simple information set decoding algorithms may also be 
applicable. 

One should repeat the attack on LFSR 2 for several small phase shifts, positive 
or negative, of the reconstructed LFSRi sequence until the correct initial states of 
both LFSR’s are reconstructed. Note that the number of solutions for the LFSR 
initial states is the number of O’s in a cycle of the LFSR 2 sequence preceding 
the first clock-control bit equal to 1 (see my 

7 Conclusions 

The introduced probabilistic analysis of the shrinking generator shows that the 
irregularly clocked LFSR’s, unlike a common belief in the open literature, may 
be vulnerable to fast correlation attacks. The analysis can be generalized to deal 
with arbitrary keystream generators based on clock-controlled LFSR’s. 

In order to reconstruct the initial state of the clock-controlled LFSR, LFSRi, 
in the shrinking generator, the new idea is to compute the posterior probabilities 
of individual bits of the regularly clocked LFSRi sequence when conditioned 
on a given segment of the output sequence. Perhaps surprisingly, a theoretical 
analysis indicates that these probabilities can be significantly different from one 
half even for relatively long segments of the LFSRi sequence. Accordingly, the 
initial state of LFSRi may be recovered by a fast correlation attack, applicable 
to a regularly clocked LFSR, based on the computed posterior probabilities. 
It is known that such an attack can be successful for certain LFSR feedback 
polynomials. More sophisticated fast correlation attacks including the iterative 
attack, the composite attack, the subsequence attack, and the reinitialization 
attack are also proposed. 

The initial state of the clock-control LFSR, LFSR 2 , can be reconstructed in a 
similar way, but based on the computed posterior probabilities of individual bits 
of the regularly clocked LFSR 2 sequence when conditioned on a given segment 
of the output sequence and on a segment of the reconstructed LFSRi sequence. 
As these probabilities are more distinguished from one half, the corresponding 
fast correlation attack is easier. 
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Appendix 

A Proof of Theorem ^ 

To prove (El, we start from O- First, in view of (01, we get 

n 

Pi{Y^ I Xi = 1} = ^Pr{y",d(C’^) = e I Xi = 1} 

e^O 

n 

= 5]Pr{y„%+l,y"-^d(C'") = e I X. = 1} 

e^O 

n 

= ^Pr{y „%+1 I Y^-^,d{C^) = e,x, = l}P,(e,n- e) 

e^O 

n 

= ^2-"P,(e,n-e). (34) 

e=0 

Namely, on the condition that d{C'^) = e, the string is obtained by 

decimating X^+i according to Cn+i, where X„+i and C„_|_i are mutually inde- 
pendent and purely random even when conditioned on Xi and Therefore, 

under the given conditions, is uniformly distributed. Similarly, in view 

of (0, we have 



Pr{y"} = ^2-®P(e,n-e). (35) 

e=0 

Consequently, (0) together with H.44ll and (f.45j) result in H I 1)11 . 

As for the recursions, we only prove (HU, whereas (HU is proved analogously. 
For (e, s) yf (0,0), (0) results in 

Pj(e, s) = Pr{F®, d(C®+'*) = e | = 1, Ce+s = 0} • Pr{ce+s = 0 | Xi = 1} 

Pr{y®, d(C®+®) = e I cci = 1, Ce+s = 1} • Pr{ce+s = 1 | x, = 1} 

= Pr{y^ d(C^+^-i) = e - 1 I Xi = 1, Ce+« = 0} • i 

+ Pr{y^d(C^+*-l) = e|xi = l,Ce+. = l}-i. (36) 

Now, as ^((7®+®“^) is independent of Ce+s, and F® is independent of Ce+s on 
the condition that d(C'®“*'®“^) = e — 1, we get 

Pr{y®, d(C^+®-i) = e - 1 I X, = 1, Ce+« = 0} = 

Pr{y®,d(C^+®-i) = e-l|x, = 1} = P,(e-l,s). (37) 

On the other hand, if Ce+s = 1 and ^((7®+®“^) = e — 1, then ys = Xg+s- Thus, 
we get 
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Pr{r^d(C^+^-l) = ejx, = l,Ce+. = 1} 

= Pr{a;e+s = = e j Xi = l,Ce+s = 1} 

= Pr{a;e+s = Vs | d(C®+®“^) = e,Xi = l,Ce+s = 1} 

• Pr{F*-\ = e\x, = l, c^+s = 1} (38) 

= Prjxe+s = ys I x^ = 1} 

■ Pr{F*-\ d(C"+*-^) = e I = 1} (39) 

= (S^^e+s^s + (1 - l5i^e+s)(j/sPe+s + (1 ~ ys)(l ~ Pe+s))) ’ -F)(e, S - 1). 

(40) 

The first line of (I.SMjl follows from the first line of (j.SSIl because Xe+s is independent 
of C®’*'® and, on the condition that d(C'®“*'®“^) = e, it is also independent of 1"®“^. 
In addition, as d(C®+®“^) is independent of Cg+s and is independent of Ce+s 
on the condition that d(C®“''®“^) = e, the second line of ll.'tuil follows from the 
second line of (1^ . 

Equation d directly follows from (1^ . (ISTIl . and (Unil . If e = 0, then the 
first term on the right-hand side of (HU is omitted, and if s = 0, then the second 
term on the right-hand side of m is omitted. The correct values of Pi{l, 0) and 
Pi(0, 1) are both obtained from the initial value Pi(0,0) = 1. 



B Proof of Theorem El 

The proof is essentially similar to the proof of Theorem E but should be con- 
ducted carefully. To prove (PD, we start from (E). First, in view of (ED , we 
get 

Pr{F” |c, = 1,X"} 

n 

= ^ Pr{F’^, d(C") = e I Q = 1, X^} 

e^O 
n 

= 5^Pr{y-_,+i,y-®,d(C") = e I Ci 

e^O 
n 

= ^Pr{F„"_,+i I y-®,d(C") = e,Ci 

e^O 
n 

= ^2“®(5i(e,n- e). 

e=0 

Namely, on the condition that d{C^) = e, the string is obtained by 

decimating Xn+i according to Cn+i, where X„+i and Cn+i are mutually inde- 
pendent and purely random even when conditioned on Ci and P"“®. Therefore, 
under the given conditions, is uniformly distributed. Note that (0 is 

similarly derived from ( 0 . Consequently, 12211 together with m and 0 result 
in II24II . 



= 1,X^} 

= l,X^}Q,{e,n-e) 
(41) 
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As for the recursions, we note that the proof of is similar to the proof of 
(ESI given below. For (e, s) ^ (0, 0), (ESJ results in 

Qi(e,s) 

= Pr{y^ d(C^+^) = e I c, = 1, X", ce+. = 0} • Pr{c,+, = 0 | c, = 1, X"} 

+ Pr{y^ d(C^+n = ela = l, X",ce+s = 1} • Pr{ce+« = 1 | c, = 1, X”} 

= Pr{F^ = e - 1 I c, = 1, X", Ce+« = 0} • ^ (1 - <5,,e+s) 

+ Pr{y^ d(C^+^-^) = e I Ci = 1, X", ce+. = 1} • ^ (1 + <5,,e+«) (42) 

where the conditional probability in the first term is computed only for i ^ e + s. 

Now, as d(C®+®“^) is independent of Ce+s, and X® is independent of Ce+s on 
the condition that d(C®“''®“^) = e — 1, we get that for i ^ e + s 

Pr{X^ d(C^+*-i) = e - 1 I c, = 1, X", Ce+. = 0} 

= Pr{y^ d(C'=+*-i) = e - 1 I c, = 1, X"} = g,(e - 1, s). (43) 

On the other hand, if Ce+s = 1 and d(C®+'*“^) = e — 1, then = Xe+s- Thus, 
we get 

Pr{X^d(C^+«-l) = e I Q = l,X",Ce+s = 1} 

= Pr{xe+« = ys,r^-\d(C^+^-^) = e I c, = l,X'^,Ce+. = 1} 

= Pr{xe+« = ys I r^-\d(C^+^-^) = e,c, = l,X",Ce+. = 1} 

• Pr{V^-\d(C^+^-^) = e I Ci = 1, X", Ce+. = 1} (44) 

— Pl’{^e+s — ds I ^e+s} 

• Pr{X'*-\ d(C"=+"-i) = e I c, = 1, X”} (45) 

= S(xe+s,ys) ■ Q^(e,s - 1). (46) 

The first line of (ESI) follows from the first line of m as Xe+s is contained in 
X". In addition, as d(C'®“''®“^) is independent of Cg+s and is independent 

of Ce+s on the condition that d((7®+'*“^) = e, the second line of II45I) follows from 
the second line of (f44l) . 

Equation (ESI directly follows from E2J, El. and ESI)- If e = 0, then the 
first term on the right-hand side of (ESI) is omitted, and if s = 0, then the second 
term on the right-hand side of (ETK is omitted. The correct values of Qi(l, 0) and 
Qi(0, 1) are both obtained from the initial value (5i(0,0) = 1. 
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Abstract. An (n, m, fc)-resilient function is a function / : F 2 — ^ FJ* 
such that every possible output m-tuple is equally likely to occur when 
the values of k arbitrary inputs are fixed by an adversary and the 
remaining n — k input bits are chosen independently at random. In this 
paper we propose a new method to generate a (n + D + 1, m, d — 1)- 
resilient function for any non-negative integer D whenever a [n, m, d] 
linear code exists. This function has algebraic degree D and nonlinearity 
at least 2""*"^ — 2" [%/2'*+^+iJ -|- 2"“^. If we apply this method to the 
simplex code, we can get a (t(2"‘ — 1) + D + l,m,t2"*“^ — l)-resilient 
function with algebraic degree D for any positive integers m, t and 
D. Note that if we increase the input size by D in the proposed 
construction, we can get a resilient function with the same parameter 
except algebraic degree increased by D. 

Keywords: Resilient functions, nonlinearity, correlation immunity, lin- 
earized polynomials 



1 Introduction 

An (n, m, fc)-resilient function is a function / : F 2 — >■ F™ such that every possible 
output 771-tuple is equally likely to occur when the values of k arbitrary inputs are 
fixed by an adversary and the remaining n—k input bits are chosen independently 
at random. The concept was introduced by Chor et al. in |H| and independently 
by Bennett et al. in P|. It was called just a resilient function in those references. 
We call it a vector resilient function when we need to distinguish it from a 
resilient function with m = 1 since the term ‘a resilient function’ was regarded 
as a balanced correlation immune function, i.e. a resilient function with 777=! 
in recent references [Tam. The application area of this function includes fault- 
tolerant distributed computing |H|, privacy amplification m and a combining 
generator for stream ciphers. A resilient function is also closely related to the 
coloring problem P| to find the smallest k such that (2™; n, fc)-coloring exists. 
(2™; 77, k) -coloring is a coloring of the n-dimensional Boolean cube with 2™ colors 
such that in every k- dimensional subcube each color appears 2*’/2™ times. 

Almost all of works on resilient functions with few exceptions mm deals 
with linear resilient functions or resilient functions with a single bit output. In 

J. Kilian (Ed.): CRYPTO 2001, LNCS 2139, pp. 458-^23 2001. 

© Springer- Verlag Berlin Heidelberg 2001 
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EEI, they focused on finding a bound on a resiliency of a vector Boolean func- 
tion with algebraic degree one. In |6lVll6llYll8l2l| , they focused on constructing 
a resilient function with a single bit output having as high as nonlinearity as 
possible. In m, Zhang and Zheng proposed a method to construct a nonlin- 
ear vector resilient function from a linear vector resilient function by permuting 
nonlinearly its output bits. This method gives an easy transformation from a 
linear resilient function to a nonlinear resilient function, but has a disadvan- 
tage that a resilient function with m bit output constructed by the method has 
algebraic degree at most m. In [2()j . Stinson and Massey proposed nonlinear re- 
silient functions, which are the counterexamples of the conjecture: If there exist 
a resilient function with certain parameters, then there exists a linear resilient 
function with the same parameters. They proposed infinitely many functions, 
but it covers only special parameters. 

In this paper, we propose a new method to construct nonlinear vector resilient 
functions using linearized polynomial. A linearized polynomial R(x) is a polyno- 
mial over F 2 " such that every term of R{x) has degree of a power of 2. An equiv- 
alent definition is that the set of roots of R{x) in its splitting field forms a vector 
space over F 2 . Given positive integers n,m and D, let d to be the minimal dis- 
tance of certain m-dimensional linear code with length n. If we take a linearized 
polynomial R(x) whose roots forms a n-dimensional subspace of ¥ 2 n+a+i, then 
some projection of R{x)~^ -I- a; to F 2 >« is a {n + D + l,m,d— l)-resilient function 
under the basis whose dual contains a subset generating the set of roots of R{x). 
We can easily find such a projection using a [n, m, d] linear code. Such a function 
has algebraic degree D and nonlinearity at least 2"+-® — 2" [V J +2'^~^ . To 
sum up, we can construct a {n + D + l,m, d— l)-resilient function with algebraic 
degree D whenever a [n, m, d] linear code exists. Observe that by increasing the 
input size by D we can construct a resilient function with the same parameter 
except algebraic degree increased by D. 

A simplex code is a [2™ — 1, m, 2"*“^] linear code, whose minimal distance is 
maximal. By concatenating each codeword t times, we get a [t(2™ — 1), to, 
linear code. Using this code, we can construct a (t(2’” — 1) -|-I?-|- 1, to, t2™“^ — 1)- 
resilient function with algebraic degree D for any positive integers to, t and D. 
It has nonlinearity greater than or equal to 

In Section 2, we introduce some notation and definitions of cryptographic 
properties. In Section 3, we propose a new method to construct a resilient func- 
tion from a linearized polynomial. In Section 4, we prove the algebraic degree of 
the proposed resilient function. In Section 5, we deal with nonlinearity. In Sec- 
tion 6, we generalize the method in Section 3 into a vector resilient function. In 
Section 7, we apply the proposed vector resilient function for a combining gen- 
erator with multi-bit output, a kind of stream cipher. We conclude in Section 
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2 Boolean Functions and Nonlinearity 

Let i? be a vector space of finite dimension n over the finite field F2. A function 
/ from E into F2 is called a Boolean function. The cardinality of the set {x G 
E\f{x) = 1 } is called the weight of / and denoted by wt(/). The degree of /, 
denoted by deg(/), is the maximal value of the degrees of the terms of / when 
expressed in the reduced form, called the algebraic normal form. A function 
with degree 1 is called an affine function. The Hamming distance between two 
function / and g is the weight of / + g. The minimal distance between / and 
any affine function from E into F2 is the nonlinearity of /, that is: 

A/'(/) = minwt(/ + (/)) ( 1 ) 

<p£i 

where E is the set of all affine functions over E. 

A function E : E ^ F2*»> is called a vector Boolean function. Note that 
if a basis of F2m over F2 is specified, there are the unique Boolean function 
fi’s such that F = {fi, f 2, - ■ ■ , fm)- We denotes hy h ■ F the Boolean function 

hifi + 62/2 H h bnfn for b = (61, 62, • • • , bm) G ¥2^. Using this notation, we 

can write E as follows: 



E = {a ■ X + 5 |a £ E,S £ F2}. ( 2 ) 

Definition 1. The nonlinearity M{F) of a Boolean function F : E ^ ¥2^ is 
defined as 

Af(F)= min N(b-F)= min wt(b ■ F + 6 ) ( 3 ) 

6eF*„,0Gr 

where E is the set of all affine functions over E. Or equivalently, 

J\f(F)= min wt(b ■ F + a ■ x + S). ( 4 ) 

oGB,6GF*,„,5gF2 

The Walsh-Hadamard transformation of a Boolean function / is defined as 
IT^(a) = a£E. ( 5 ) 

x^E 

Since Wf{a) = wt{f{x) + a - x) — wt{f{x) + a • a; + 1 ), we have 

Ar(/) = 2"-i-imax|fUy(a)|. (6) 

Z a^E 

Definition 2. A Boolean function f : E ^ ¥2 is called a k-th order correlation 
immune function if Wf{a) = 0 for all a £ E with 0 < wt{a) < k. A k-th order 
correlation immune function is called a k -resilient function if it is balanced(i.e. 
Wf{ 0 ) = 0 ). 

Definition 3. A vector Boolean function F : E ^ F 2 m is called a k-resilient 
function or a (n, m, k) -resilient function for the dimension n of E if b ■ F is a 
k-resilient function for any b G F^m . 




Nonlinear Vector Resilient Functions 



461 



3 Resiliency 

Throughout this paper, let g = 2” for a positive integer n. A polynomial in ^q[x\ 
is called a linearized polynomial if each of its terms has degree of a power of 2 
0 . Let R{x) = ^ be a linearized polynomial over F 2 »> and 

NiiiWq) = {x G Fq|i?(a;) = 0} be the set of zeros of R{x) which forms a subspace 
of Fq. From now on, we define the inversion function R{x)~^ to be R{x)^ 
Note that if we represent a, 6 G F^ by a basis and its dual basis, respectively, we 
have a ■ b = Tr[ab] where Tr[-] is the trace function from F, to F 2 . 

Lemma 1. m Let a,b G F^, R(x) a linearized polynomial and F(x) = 1/R{x). 
IJTr[ax\ does not vanish identically on Nn(¥q), then 



WTr[bF{x)]{a) = 0. 

Proof. Suppose a;o G F, \ Nn(¥q). For x = xq + x' with x' G Nj{(Fq), we have 
Tr[aa;+-^^] = Tr[aXQ+^j^^^^]+Tr[ax'\ and this is zero for #7Vfl;(Fq)/2 elements 

x' . Since a half of elements of each coset of Nn(Fq) satisfies Tr[ax + = 0, 

we have WVr[bF](a) = 0- 

Using this, we can derive the following. 

Theorem 1. Let R{x) be a linearized polynomial such that N}i{¥q) is generated 
for some w > 0, and let F(x) = 1/R{x) + cx for c G Fg. 
Suppose B = ,?n} is a basis ofFq and B = {CijC 2G'‘ iCn} its dual 

basis. Then Tr[bF] is a {t—1) -resilient function under the basis B if the projection 
of be on (^ 1 , ^ 2 , • ■ ■ , fw) has weight t. 

Observe that the maximum of t is w. 

Proof. Let a = be = ^ we write f{x) = Tr[b(l/ R{x) + 

cx)], we have 



Wf{a) yf 0 <t4> Tr[{a + bc)x] =0 on Nfi{¥q) 

O Tr[{a + 6c)^i] = 0 for 1 < i < w 
Qi = bi for 1 < i < ic 



Since t elements of bi for 1 < i < w is equal to one, we have Wf{a) =0 for all a 
with 0 < wt{a) < t, which proves the ft — l)-resiliency of Tr\bF]. 

Example 1. Let g = 2® and V = {Ci; C 2 , ^ 3 , ^ 4 } ^ set of linearly independent 
elements of F^, and let R{x) = f][(x — f) where ^ ranges over all linear com- 
binations of elements of V. Suppose B = {Ci,^2,--- ,Cs} is a basis of F, and 
its dual basis. Then /(x) = Tr[{[i -G ^2 + ^3 + + x)] 

is a 3-resilient function under the basis B. 
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4 Algebraic Degree 



Theorem 2. Let w > 0. Consider a linearized polynomial R{x) = ~ C) 

where ^ ranges over all elements of a w-dimensional subspaee V ofFg. Then 
F{x) = has the algebraie degree n — 1 — w. 

Proof. First, we claim that F{x) has the algebraic degree < n — 1 — w. We use 
the induction on w. For u; = 0, it is trivial since F(x) = \jx has the algebraic 
degree n — 1. Assume that the claim holds for all dimension less than w. Let W 
be a (w — l)-dimensional subspace oiV, a €V\W and S{x) = Ocgw (x-C). 
Then we have 

1 _ 1 _ 1 /I 1 

R{x) S{x)S{x + a) 5 ( 0 ;) + S'(a; + Of) \S'(a;) S'(a: + a) 

Note that f{x) + f{x + a) has algebraic degree less than that of / for any 
Boolean function / and a G Fg. Since S{x) is a linearized polynomial and so has 
the algebraic degree 1, S{x) + S{x + a) is a nonzero constant for a € IT. By 
the induction hypothesis, has algebraic degree <n — 1 — {w — l)=n — w. 
Hence F(x) has algebraic degree less than n — w which proves the claim. 

Now we prove the equality. Suppose that there is a w-dimensional sub- 
space V such that has algebraic degree less than n — w — 1. Take a basis 
B = • • ,^n) of Fq where • • ,^w generates V. Take Rn]{x) = R{x) 

and i?j+i(cc) = Ri{x)Ri{x + for w < i < n — 1. By the same deduction 
with dzj, 1/i? i+i{x) has algebraic degree less than 1/Ri{x) for w < i < n — 1. 
Thus, has algebraic degree less than (n — 1) — (n — 1) = 0. That is, 

l/Rn-i{x) = 0 should be zero for all a; £ F^ which implies Rn-i{x) = 0 for all 
X £ Fg. This is a contradiction because Rn-i has only 2"“^ roots. Therefore we 
have the theorem. 

Observe that if V has the dimension w, we can derive a (w — l)-resilient 
function with the algebraic degree n — w — 1 from F(x) = l/i?(x). From the 
Siegenthaler’s inequality m, we have deg /<n — 1 — (w — 1) = n — w for 
every component function / of l/i?(x). Thus, our resilient function has one less 
algebraic degree than the maximal degree achieved by (w — l)-resilient functions 
in F,. 

5 Nonlinearity 

Consider a non-singular complete curve given by y^ + y = for a, 5 £ F,j. 

By Hurwitz-Zeuthen formula, it has the genus g = 2^ — Jq o where h is the 
degree of R{x) and the Kronecker delta 6a , 0 is one if and only if a = 0. Using 
the Hasse-Weil bound on the number of points of an algebraic curve, we can get 
the following lemma. 
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Lemma 2. Let R{x) be a linearized polynomial sueh that Nn(¥q) is generated 
iCiu} for some 0 < w < n. Let a,b € and 6^0. Let C be a 
complete non-singular curve over given by y = ax . Then we have 

\ffC{¥q)-q-l\<2g^, 

where g = 2'^ — Sap is the genus of the curve C. 

Theorem 3. Let R{x) be a linearized polynomial such that Nn(¥q) is generated 
{Cl; ^ 2 , • ■ ■ , Cu)} for some 0 < w < n. Then we have 

AT(^-) +2“'-!. 

R{x) 

Proof. Let F{x) = 1/R{x) and 5 G F*. 

Assume a ^ 0. The complete non-singular curve C given hy y = ax -\- 
b/R{x) has a point at the infinity and a point on each of roots of R{x) . Otherwise, 
it has 2 points whenever Tr[ax b/R{x)] = 0. Hence we have 

#C(F,) = 2ff{x G ¥q\Tr[ax + = 0} + 2“ + 1. (8) 

Assume a = 0. The complete non-singular curve C given hy y^ -\-y = b/R{x) 
has two points at the infinity and a point on each of roots of R{x). Otherwise, 
it has 2 points whenever Tr[ax b/R{x)] = 0. Hence we have 

#C(F,) = 2#{x G ¥q\Tr[ax + = 0} + 2“ + 2. (9) 

Observe that #(7(Fq) — 1— (5a,o is divisible by 2“+^ from Corollary (1.5) in [HJ. 
Since Wb.pia) = 2#{x G ¥ q\Tr[ax = 0}-q = #C'(F,) - 1 - i5a,o - 2“' - g, 
we can write WTr[bF]{a) = s ■ 2^"+^ — 2“’ for some integer s. 

On the other hand, by Lemma E] for all a we have 

|#C(F,) - 9 - 1| = |s . 2-+1 + 5,,o| < 2(2“ - Sa,o)Vq- 

That is, we have |s| < [y/q\. 

Combining them, we find that the maximum of \Wj'r[bF]{o)\ is bounded by 
2“+^[ygJ — 2“. FromEl we get the theorem. 

Observe that this bound of nonlinearity is very tight for small w, but not so 
good for large w. 

6 Vector Resilient Functions 

We begin with some basic terminology of coding theory lEj. A linear code C is 
a linear subspace of F 2 . An element of C is called a codeword. The minimum 
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distance of C is defined as the minimum of weights of all nonzero codewords in 
C. A [n, m, d] code is a m-dimensional linear code of length n with minimum 
distance d. 

Suppose W isa, vector space generated by {ei, 62, 63}. Then V = (61+62 + 63) 
is a [3, 1, 3] linear code since V has one nonzero element 61 + 62 + 63 with weight 
3. If we define ^ = (61 + 62,62 + 63), it is a (3,2,2) linear code since every 
nonzero element of + has weight 2. 

Theorem 4. Let R{x) be a linearized polynomial such that Nn(¥q) is generated 
{Ci,C2,‘"' ,iw} for some w > 0 , and F(x) = 1 /R{x) + x. Suppose B = 
0, basis of ¥q and B = {^i,C2,’’‘ ,Cn} its dual basis. For 
1 < m < w, let Bi, B2, ■■ ■ ,Bm be elements of the vector space with the 
basis B whose projection on (^i,^2,‘‘‘ ,f.w) forms a [w,m, d] linear code. Then 
[Tr[BiF],Tr[B2F]^ • • • , Tr[BmF]) is a {d— l)-resilient function under the basis 

B. 

Proof. Any component function of {Tr[BiF],Tr[B2F], • • • , Tr[BmF]) is written 
as Tr[BF] for B = with bi G F2. Observe that the projection of such 

B on (Ci,C2,‘“ ,Ctu}) has weight greater than or equal to d. Hence B ■ F is a 
(d — l)-resilient function by Theorem Q Since every component function is a 
(d — l)-resilient function, so does (Tr[_BiF], Tr[_B2F], • • • ,Tr[BjnF]). 

Using Theorem 0 we can construct a (n, m, fc)-resilient function from F2 to 
F™ when k = d(w, m) — 1 for some w with 0 <m<w<nas Algorithm 1. 

Algorithm 1 (Construct a vector resilient function) 

1. Input n, m and k such that k = d{w, m) — 1 for some w with 0 < m < 

w < n. 

2. Take a set U = {Ci, 6, • ' ' , of w linearly independent elements of 

F2n. Let B = {Cl, 6: • • • ,Cn} is a basis of F2" and B = |fi,6, ‘ ‘ ' ,Cn} 

its dual basis. 

3. Assume a d] linear code is generated by {ci,C 2 ,--- ,Cm} where 

Ci — [c^i, C 12 , * ‘ , 6j^] and G F 2 . Compute Bj^ — ] j — -i Cij^i> 

4. Let F{x) = 1 /R{x) + x for R{x) = ~ 0 where ( ranges over all 

elements of the subspace generated by V. Compute Tr[BiF{x)] for 
1 < * < m. 

5. Output a fc-resilient function 

S(x) = (Tr[BiF{x)],Tr[B2F{x)],--- ,Tr[BmF]) 

from F2 to F^ by taking the basis B for F2". 

The following is an example of Algorithm 1. 

Example 2 . Let q = 2® and V = |Ci,C2,C3} ^ set of linearly independent ele- 
ments of Fq, and let R{x) = where C ranges over all linear combinations 

of elements of V. Let B = |Ci, C2, • • • , C™} is a basis of Fg and B = jCi, C2, • • ' , Cn} 
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its dual basis. Then (/i, / 2 ) is a (8,2,l)-resilient function under the basis B where 
fi = Tr[{^i + + x)] and /a = Tr[(^ + + x)]. 

If we combine Theorem [3, Eland El we can get the following Theorem. 

Theorem 5. Assume 0 < m < n and a [n, m, d] linear code exists. For any 
nonnegative integer D, there exists a (n + D + l,m, d — l)-resilient function 
with algebraic degree D, whose nonlinearity is greater than or equal to — 

2’^[V2"+^+iJ + 2"“b 

Note that for any positive integer there exists a [2™ — l,m, 2™“^] code, so 
called a simplex code, which has the maximal value of minimal distances for 
771-dimensional linear codes with length 2"^ — 1. Concatenating each codeword t 
times gives a [f(2'" — 1), m, linear code. If we apply this code to Theorem 

0 we get the following result. 

Corollary 1. For any positive integers m,t and D, there is a (t(2'" — 1) -|- 
D+ l,m,t2™“^ — 1) -resilient function with algebraic degree D and nonlinearity 
greater than or equal to 

Given positive integers n and m, we define the maximal resiliency n(n,m) 
to be the maximal value of resiliency k such that a (n, tti, A:)-resilient function 
exists. Chor et al. 0 showed that n{n,2) = — 1. For general m, Friedman 

m showed that given positive integers n and m the maximal resiliency k(?7, m) 
satisfies 



t7('2'" — 21 

7t(n,m) < n- 1- (10) 

Bierbrauer et al. 0 showed that a [n, m, d] linear code can be used to con- 
struct a (n,m,d— l)-resilient function. Combining this with (II 1 )B . we find that 
/t(t(2™ — 1),to) = t2™“^ — 1. On the other hand, if we consider linear re- 
silient functions, i.e. D — 1, in Corollary El the proposed construction gives 
(t(2™ — 1) -1-2, m, t2™“^ — l)-resilient function which has 2 bit larger input length 
with the same output size and resiliency. By this construction, however, for any 
positive integer D we can construct a resilient function of algebraic degree D 
with the same parameter by increasing the input size by D bits. 

In [ 231 , authors proposed a method to construct a nonlinear vector resilient 
function from a linear vector resilient function by permuting nonlinearly its 
output bits. That is. 

Let F be a linear (n,m,k) -resilient function and G a permutation on F™ 
whose nonlinearity is Mq- Then P = G ■ F is a (n, m, k) -resilient function such 
that 

1. the nonlinearity Mp of P satisfies Mp = 2"“"*A/g and 

2. the algebraic degree of P is the same as that ofG. 
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A vector Boolean function with m bit output generated by this method has an 
algebraic degree less than m while our method can generate a resilient function 
with algebraic degree up to n — 2 — to. The largest nonlinearity achieved by a 
permutation on F™ is 2"*“^ — jEj. Thus, such (n, to, fc)-resilient function 
has nonlinearity < 2"“^ — Hence resilient functions constructed by 

the proposed method have larger bound of nonlinearity for small to than the 
previous method. Another obstacle of the previous method is to find a nonlinear 
permutation, which is not easy for even to except x~^. 

Generally, it is not easy to obtain the maximum value of to given n and d or 
the maximal value of d given n and to. For small n, to, however, there is a table 
0 for the maximum value d{n, to) of d such that a [n, to, d] linear code exists. 
Refer to the appendix for 1 < n < 15 and 1 < to < 6. These maximum values 
of the minimum distances gives the maximal resiliency k of (n, to, fc)-resilient 
functions with the algebraic degree D constructed by Algorithm 1. In Tabled 
0-resiliency means balancedness. 



Table 1. The maximum resiliency k of proposed (n, m, fc)-resilient functions with the 
algebraic degree D. 



m\n 


2 +D 


3 +D 


4+D 


5-bL> 


6+D 


7+D 


%+D 


9-lD 


10-bD 


ll+D 


12+D 


li+D 


14-fD 
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4 
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10 
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12 


2 
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2 


3 
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7 


7 


3 






0 
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4 








0 
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0 


1 
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6 
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2 


3 


3 


3 



7 Stream Ciphers 

One of the most widely used design for stream cipher is a combination gen- 
erator. A combination generator consists of several linear feedback shift reg- 
isters(LFSRs) whose output sequences are combined by a nonlinear Boolean 
function, called a combining function. To resist against the well-known correla- 
tion attack, a combining function should be resilient. Fig. Qis an example of a 
stream cipher with multi-bit output where KGSs are key stream generators and 
F is a combining function. 

To get a high linear complexity, we use feedback shift registers with carry 
operation (FGSRs) m as KSGs instead of LFSRs in a combining generator. Let 
n be the number of FGSRs with k registers and to the number of output bits. 
By Theorem 0 we can construct a (w + D + l,m, d — l)-resilient function for 
any non-negative integer D whenever a [w, to, d] linear code exists. The function 
has algebraic degree D and nonlinearity at least 2“+-° — 2“’ [\/2“'+-®+iJ -|- 2“'“^. 
We use this vector resilient function as a combining function. 
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Fig. 1. A stream cipher with multi-bit output 



Note that correlation attack has complexity 0(2^^) when the combining func- 
tion is (d — l)-resilient. On the other hand, linear complexity attack has com- 
plexity 0{M^) for a cipher with linear complexity M. Since every FCSR has 
linear complexity 2^ and the combining function has algebraic degree n — w — 1, 
we have M = Hence when d{w, m) ~ 3(n — tc — 1), two complexities 

are similar. 

For example, if we let n — m — 1 = 2 and d = 5, the complexity becomes 
0(23'=). case, we have w = 9 for m = 2 and w = m + 8 for m > 3. 

That is, if A: = 20, we can design ciphers with the following feature. Here the 
complexity is against the linear complexity attack and the correlation attack for 
a linear combination of output bits. 

However, if we consider a correlation attack using a nonlinear combination 
of output bits, the complexity might be different. In that case, the maximum 
correlation coefficient should be considered. Currently, we don’t know the 
maximum correlation of the proposed vector resilient functions. It would be 
interesting problem to compute them. 



Table 2. Input v.s. Output with the fixed Resiliency 



Input (n) 


Output (m) 


Dim(w) 


Alg. Deg.(D) 


Resiliency(fc) 


Complexity 


12 


2 


9 


2 


5 




14 


3 


11 


2 


5 




15 


4 


12 


2 


5 




17 


5 


14 


2 


5 


2 ™ 


18 


6 


15 


2 


5 




19 


7 


16 


2 


5 




21 


9 


18 


2 


5 


2 ™ 
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8 Conclusion 

In this paper we proposed a method to construct a (n + D + 1, m, d — 1)- 
resilient function with algebraic degree D for arbitrary positive integer D 
using a linearized polynomial and a [n, m, d\ linear code. Since its nonlin- 
earity is related with the number of rational points of associated algebraic 
curves, we can find a bound of its nonlinearity using Hasse-Weil bound of al- 
gebraic curves. Applying this method to the well-known simplex code gives a 
(t(2™ — 1) -I- £> -I- — l)-resilient function with algebraic degree D 

for any positive integers m, t and D. Note that if we increase the input size by 
D in the proposed construction, we can get a resilient function with the same 
parameter except algebraic degree increased by D. In author’s knowledge, this 
method is the first one to generate a nonlinear vector resilient function with 
larger algebraic degree than the output size. 

Acknowledgements. The author would like to thank Dr. Seongtaek Chee, 
Prof. Joseph Silverman, and Prof. Kyeongcheol Yang for helpful discussion and 
comments. This work was supported by postdoctoral fellowship program from 
Korea Science and Engineering Foundation (KOSEF). 

References 

1. C. Bennett, G. Brassard, and J. Robert, “Privacy Amplification by Public Discas- 
sion,” SIAM J. Computing, Vol. 17, pp. 210-229, 1988. 

2. C. Bennett, G. Brassard, C. Crepeau, and U. Maurer, “Generalized Privacy Am- 
plification,” IEEE Trans, on Information Theory, Vol. 41, No. 6, pp. 1915-1923, 
1995. 

3. J. Bierbrauer, K. Gopalakrishnan, and D. Stinson, “Bounds on Resilient Functions 
and Orthogonal Arrays, ” Proc. of Crypto’94, pp. 247-256, Springer- Verlag, 1994. 

4. A. Brouwer and T. Verhoeff, “An Updated Table of Mimimum-Distance Bounds 
for Binary Linear Codes,” IEEE Trans, on Infomation Theory, Vol. 39, No. 2, 
pp.662-677, 1993. 

5. J. Cheon and S. Chee, “Elliptic Curves and Resilient Functions,” Proc. of ICISC’OO, 
pp.64-72, 2000. 

6. P. Camion, C. Carlet, P. Charpin, and N. Sendrier, “On Correlation Immune Func- 
tions,” Proc. of Crypto’91, pp. 86-100, Springer- Verlag, 1992. 

7. S. Chee, S. Lee, D. Lee, and S. Sung, “On the Correlation Immune Functions and 
their Nonlinearity,” Proc. of Asiacrypt’96, pp. 232-243, Springer- Verlag, 1996. 

8. B. Chor, O. Goldreich, J. Hastad, J. Friedman, S. Rudich, and R. Smolensky, “The 
Bit Extraction Problem or t-Resilient Functions,” IEEE Symposium on Founda- 
tions of Computer Science, Vol. 26, pp. 396-407, 1985. 

9. K. Friedl and S.C. Tsai, “Two Results on the Bit Extraction Problem”, Discrete 
Applied Mathematics, Vol 99, pp. 443-454, 2000 

10. J. Friedman, “On the Bit Extraction Problem,” Proc. of 33rd IEEE Symposium 
on Foundations of Computer Science, pp. 314-319, 1992. 

11. G. van der Geer and M. van der Vlugt, “Trace Codes and Families of Algebraic 
Curves,” Math. Z., Vol. 209, pp. 307-315, Springer- Verlag, 1992. 




Nonlinear Vector Resilient Functions 



469 



12. A. Klapper and M. Goresky, “Feedback Shift Registers, Combiners with Memory, 
and 2-adic Span,” Journal of Cryptology, Vol. 10, Springer- Verlag, pp. 111-147, 
1997. 

13. J.H. van Lint, Intoroduction to Coding Theory, Springer- Verlag, 1992. 

14. R. Lidl and H. Niederreiter, Finite Fields, Cambridge University Press, 1997. 

15. K. Nyberg, “S-Boxes and Round Functions with Controllable Linearity and Differ- 
ential Uniformity,” Proc. of the Second Fast Software Encryption, pp. Ill - 130, 
Springer- Verlag, 1994. 

16. E. Pasalic and T. Johansson, “Further Results on the Relation Between Nonlin- 
earity and Resiliency for Boolean Functions,” Proc. of IMA Conference on Cryp- 
tography and Coding, pp. 35-44, LNCS 1746, Springer- Verlag, 1999. 

17. P. Sarkar and S. Maitra, “Nonlinearity Bounds and Constructions of Resilient 
Boolean Functions,” Proc. of Crypto’OO, pp. 515-532, Springer- Verlag, 2000. 

18. J. Seberry, X. Zhang and Y. Zheng, “On Constructions and Nonlinearity of Cor- 
relation Immune Boolean Functions,” Eurocrypt’93, pp. 181-199, Springer- Verlag, 
1993. 

19. T. Siegenthaler, “Correlation-Immunity of Nonlinear Combining Functions for 
Cryptographic Applications,” IEEE Transactions on Information Theory, IT-30(5), 
pp.776-780, 1984. 

20. D. Stinson and J. Massey, “An Infinite Class of Counterexamples to a Conjecture 
Concerning Nonlinear Resilient Functions,” Journal of Cryptology, Vol 8, No. 3, 
pp. 167-173, Springer- Verlag, 1995. 

21. Y. Tarannikov, “On Resilient Boolean Functions with Maximum Possible Nonlin- 
earity,” Proc. of Indocrypt’OO, pp. 19-30, Springer- Verlag, 2000. 

22. M. Zhang and A. Chan, “Maximum Correlation Analysis of Nonlinear S-boxes in 
Stream Ciphers,” Proc. of Crypto2000, pp. 501-514, Springer- Verlag, 2000. 

23. X. Zhang and Y. Zheng, “Cryptographically Resilient Functions,” IEEE Trans. 
Inform. Theory, Vol 43, No 5, pp. 1740-1747, 1997. 



Appendix: Minimum Distance of Linear Codes 

For given n,m < 127, there is a table ^ for the maximum value of d such that 
a [n, m, d] linear code exists. Some of them are as below: 



Table 3. The maximum d such that a [n, m, d\ linear code exists. 
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Abstract. Most public key cryptosystems have been constructed based 
on abelian groups up to now. We propose a new public key cryptosystem 
built on finite non abelian groups in this paper. It is convertible to a 
scheme in which the encryption and decryption are much faster than 
other well-known public key cryptosystems, even without no message 
expansion. 

Furthermore a signature scheme can be easily derived from it, while it is 
difficult to find a signature scheme using a non abelian group. 



1 Introduction 

Most frequently used problems in the public key cryptosystems are the fac- 
torization problem m and the discrete logarithm problem (DLP). Cryptosys- 
tems based on these problems have been built on abelian groups 
In Crypto 2000, Ko et al. proposed a new public cryptosystem based on Braid 
groups, which are non abelian groups. To authors’ best knowledge, it was the 
first practical public key cryptosystem based on non abelian groups. 

When we use a non abelian group G for a public key cryptosystem, we need 
to consider the following problems related to the word problem: 

- How do we express a message as an element of G? 

- Can every element of G be represented in a unique way for a given expres- 
sion? 

If an element of G is not represented in a unique way, then a plaintext and a 
deciphertext may not be the same. Therefore the second problem is very impor- 
tant when we use a non abelian group for a public key system. Matrix groups 
and semi-direct product of abelian groups are examples of non abelian groups 
which have such expressions. 

In this paper, we suggest a new cryptosystem based on such a finite non 
abelian group G. Our PKC is based on DLP in the inner automorphism group 

Inn{G) = {Inn{g) | 5 e G}, 

where Inn{g){x) = gxg~^. The advantages of our PKC are as follows: 

J. Kilian (Ed.): CRYPTO 2001, LNCS 2139, pp. 470- P?^ 2001. 
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- We can apply our encryption scheme to G even if DLP and the (special) 
conjugacy problem in G are not hard problems. 

- Parameter selections are much easier than those in ECC |Tm| and XTR 

m 

- We can increase the speed of the encryption and decryption. More precisely, 

when m is a message and g°‘ is the public key in ElGamal-type encryption 
|5ll2lld| . should be sent to a receiver and it is crucial that dif- 

ferent random integers b should be used to encrypt different messages. In 
our scheme, we can fix b without loss of security so that we can increase the 
speed of the encryption and decryption. Moreover no message expansion is 
required. 

- It is easy to make a signature scheme with our PKC: In general, it is not 
easy to find a signature scheme using an infinite non abelian group such as 

a braid group nu- 
ll we fix b, our PKC is about 30 times faster than RSA for a 32-bit public 
exponent in RSA encryption scheme and is about 200 times faster in decryption. 

2 Preliminaries 

2.1 Semi-direct Product 

From some given groups, we can easily make new non abelian groups using semi 
direct products. Recall the definition of the semi-direct product: 

Definition 1. (Semi-direct product) Let G and H be given groups and 9 : H ^ 
Aut{G) be a homomorphism, where Aut(G) is the automorphism group of G. 
Then semi-direct product G xg H is the set 

G X H = {{g, h)\ g G G, h G H} 

together with the multiplication map 

(gi,hi) ■ (g2,h2) = {gi0{hi){g2),hih2). 

we have 

(ec, hi){g 2 , eH){cG, hi)~^ = {9{hi){g2),eH), (2.1) 

where cgtCh are the identity elements of G and H, respectively. So G can be 
considered as a normal subgroup oiGxgH. If 9{H) yf Id, then G xg H is a, non 
abelian group even if G and H are abelian. 

Example 1. (1) Most familiar example of the semi-direct product is the isome- 
try group on Euclidean space K". This group is the semi-direct product of the 
translational isometry group K" and the orthogonal group 0(n,R). 
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(2) It is a well known fact that Aut(Z„) = Z* , where Z* is the multiplicative 
group of Z„. Since Z| ~ Z2, there exists a non constant homomorphism, in fact, 
an isomorphism of Z2 into Z4 . Thus Z4 Xg Z2 is a non abelian group. 

(3) If G is a non abelian group, then there exists a natural homomorphism from 
G to Aut(G). Precisely, 

Inn : G — >■ Aut(G) 

( 2 - 2 ) 

g ^ Inn{g), Inn{g){h) = ghg . 

We call Inn{g) an inner automorphism. It is easy to check that ker(Jnn) is 
the center of G. Recall that the center of G is the set {z\ [z^g] = zgz~^g~^ = 
ec for all g G G}. If G is an abelian group. Inn is a constant map and so 
G Xinn G = G X G. But if G is a non abelian group, then G X/„„ G is an 
interesting extension of G. 

If we apply a semi-direct product to p-groups inductively, we can make a 
nilpotent group [^ . It is a well known fact that nilpotent groups can be expressed 
in a unique way as a direct product of abelian groups. The above Z4 xg Z2 in 
Example 1. (1) is a nilpotent group with order 8. 

2.2 Conjugacy Problem 

One of the most important characteristics of non abelian groups distinguished 
from abelian groups is that Inn is not constant, i.e. there exist two distinct 
elements which are congruent to each other. 

Definition 2. (1) For arbitrary x,y G G, the conjugacy problem is to find w G G 
such that wxw~^ = y. 

(2) For a given Inn{g), the special conjugacy problem is to find g' satisfying 
Inn(g') = Inn{g). 

There are many groups where the word problem is known to be solvable in 
polynomial time while there is no known polynomial time algorithm to solve the 
conjugacy problem (the braid group is an example) 0. If G is a non abelian 
group and its conjugacy problem is hard in G, we can consider the following 
cryptosystem. Let {(5^} be a set of generators of G. Let g be an element of G. 
The public key is {e^ = gdig~^} and the secret key is g. Mathematically, the 
public key can be expressed as Inn{g). Then the ciphertext is E = Inn{g){m) 
and the deciphertext is g~^Eg (P or 2I|). In order to use such an encryption 
scheme, every element of G should be easily expressible as a product of Sfs. 
If an element of G is also easily expressible as a product of efs, then we also 
obtain Inn{g~^) immediately. Since g~^Eg = Inn{g~^){E), we can decrypt 
without knowing g. Thus it is essential that elements of G should not be easily 
expressible as products of e^’s. 

This system depends on the difficulty of finding g' satisfying Inn{g') = 
Inn{g) for a given Inn{g)^ i.e. the above system is based on the special con- 
jugacy problem. Unfortunately, we know few finite non abelian groups to which 
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we can apply the above system. For example, the general linear group GL(2, Zp) 
and the special linear group SL(2, Zp) are non abelian groups on which the (spe- 
cial) conjugacy problem is not difficult (see Appendix A). 

Remark 1. If we use DLP in SL(2,Zp), we choose g G SL(2,Zp) whose order 
is divided by p. The order of SL(2,Zp) is |SL(2,Zp)| = p{p — l)(p -b 1). Such 
elements which we are aware of are the conjugates of / -b c5\2 and / -b cS^i, 
where c G Zp and Sij is a matrix whose entries are all zero except the (i, J)-entry 
which is 1. Let g = A{I + 812) A~^ for 

(“J) GSL(2,Zp). 



Then we have 

g^ = A{I + m5i2)A-^ 

_ fad — be — mac ma^ 

—m(? ad — be + mac 

Consider DLP in the cyclic group ( 5 ’”). Since (1, 2)-component of g"^ and g™’' 
are ma?' and mla? , respectively, we can obtain I mod p. Hence DLP in (p"*) 
is not a hard problem. The (special) conjugacy problem and DLP are not hard 
problems in SL(2,Zp). 

3 New Cryptosystem 

In this section, we suggest a new encryption scheme which are based on DLP in 
the inner automorphism group. 

Let G be a non abelian group with non trivial center Z{G). We assume that 
Z{G) is not small. Let g be an element of G. 



1 — mac ma^ \ (2-3) 

—mc^ 1 -b mac ) 



Proposed encryption scheme. Let { 7 ^} be a set of generators of G. Since 
Inn{g) is a homomorphism, Inn{g) is obtained if we know Inn{g)(^i), i.e. if we 
express m as • • • 7 j„, then Inn{g){m) = Inn{g){'^j^) ■ ■ ■ Inn{g){jj^). There- 
fore we can represent Inn{g) by {Inn{g)(pfi)}. The basic scheme is the following: 

- public key : Inn{g), Inn{g°') 

- secret key : a 

Encryption 

1 . Alice expresses a plaintext m G G as a product of 7 /s. 

2 . Alice chooses an arbitrary b and computes {Inn{g°'))^ , i.e. {(/nn((/“))^( 7 i)}. 

3. Alice computes E = Inn{g°‘^){m) = {Inn{g°‘))^{m). 

4. Alice computes (f) = Inn{g)^, i.e. {Inn{g^){ji)}. 

5. Alice sends {E,(p). 
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Decryption 



1. Bob expresses E as a, product of 7 i’s. 

2. Bob computes (/)““, i.e. 

3. Bob computes 

To implement our scheme, we should express Inn{g°^) with small bits. Since 
G is a finitely generated group, Inn{g°‘) is expressed by {Inn{g°‘){'-fi)} for a 
generator set {7i}. If we do not have a fast algorithm to express 7 G G by a 
product of generators, we cannot express Inn(g°‘) actually. In the next section, 
we will introduce a non abelian group to which our scheme can be applied. 
(Precisely, see 4.3.) 

Although our scheme looks like an ElGamal-type, we may not change b 
for each encryption. In ElGamal-type encryption based on abelian groups (e.g. 
EGG), we must change b for each encryption. (If a fixed b is used, we can ob- 
tain mi^m 2 = {Tn\g°'^)~^m 2 g°'^)-) But in our scheme, it is impossible to obtain 
m^^m 2 from Inn{g^)(mi) and Inn{g^){m 2 ) ■ Thus we may fix b. As we see in sec- 
tion 4.3, this fact will be very useful for fast encryption and decryption scheme. 

Due to the non commutativity of braid groups, the cryptosystem using braid 
groups has a difficulty in making a signature scheme. However, our scheme en- 
ables us to make a signature scheme easily (e.g. Nyberg-Rueppel type signature) 
even if G is non abelian. 

Now we consider the method to find a from the given Inn{g) and Inn{g°‘). 
First, we solve DLP in {Inn{g)) directly. The index calculus is the most efficient 
known method to solve DLP But its application is too restrictive to be 
applied to general cyclic groups. It seems that the index calculus cannot be 
applied to the group {Inn{g)). In general cases, expected run times for solving 
DLP are 0{y/p), where p is the order of a cyclic subgroup. 

Secondly, we solve DLP in {g) . If we assume that the special conjugacy prob- 
lem is not a hard problem, we can find 50 satisfying Inn{go) = Inn{g°‘). We can 
easily verify that go = g°~z for some z G Z{G). If \Z(G)\ is large enough, then it 
is almost impossible to determine whether is an element of {g). Then even 
if DLP in G may be easy, we cannot apply any algorithm to solve DLP in G. 

We should be careful in the choice of a plaintext and g. If [m,g] = ea, then 
E = g°^^mg~‘^^ = m. In particular, if m is a central element, then E = m so m 
should not be chosen in the center. Also if g is a central element, then Inn{g) is 
the identity map and so E = m. We should select a non central element g. 

We should note that there may be other attacks depending on G as we see 
in section 5. 

Remark 2. In the above scheme, E = Inn{g°^^){m), E and m are contained in 
the same conjugacy class. Assume that E is a ciphertext of either toq or mi, 
which are not contained in the same conjugacy class. Then an adversary can find 
the right plaintext by examining the conjugacy class of E. To avoid this attack, 
we can use a padding method in the encryption (see Remark 4 and |E|). It also 
makes fast encryption and decryption scheme (which fixes b) non deterministic. 
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4 Construction of a Non Abelian Group 

4.1 An Example of Non Abelian Group SL(2,Zp) Xe Zp 

If we use the semi-direct product, we can construct many non abelian groups 
with non trivial center as in section 5. But it is not easy to construct a non 
abelian group on which our system is secure. We modify SL(2,Zp) by a semi- 
direct product as follows. There exists a cyclic subgroup (a) with order p of 
SL(2, Zp), e.g. / -I- 6 i 2 - Let 

G = SL(2,Zp) xeZp, 



where 

0 = Inn o 01 : Zp — >■ Aut(SL(2, Zp)) 

and 01 is an isomorphism from Zp to (a). Then 6 {y){x) = 9i{y)x9i{y)~^ . Now 
we solve the conjugacy equations in G. Let g = (x,y). Computing the conjugate 
of (a, b), we obtain that 

(x,y)(a,b)(x,y)~^ = (x9(y)(a)9(b)(x~^), b). (4.4) 

If & = 0, we have 

(x,y)(a,0)(x,y)~^ = (x9(y)(a)x~\0) = ((x9i(y))a(x9i(y))~\0). (4.5) 

If we solve the special conjugacy problem in SL(2, Zp) as we see in Appendix A, 
we can obtain x9i{y). Let {x\,yi) G G such that x\9i{yi) = x9i{y). For 5 yf 0, if 
we use the fact that Zp is an abelian group and 0i is a homomorphism, we can 
easily verify that 

xi9{yi){a)9{b){x:['^) = xi9i{yi)a9i{yi)~'^9i{b)x^^9i{b)~^ 

= {xi9i{yi))a9i{yi)~^9i{b)9i{yi)9i{y)~^x~^9i{b)~^ 

= {x9i{y))a9i{-yi + b + yi)9i{y)~^x~^9i{b)~^ 

= x9i{y)a9i{b)9i{y)~^x~^9i{b)~^ 

= x9i{y)a9i{y)~^9i{b)x~^9i{b)~^ 

= x9{y){a)9{b){x~^). 

(4.6) 

It can be easily verified that if a;i0i(yi) = —x9x{y), then the above equation also 
holds. Also note that the center of Z(SL(2, Zp)) = ±7. Hence the set of solutions 
for the special conjugacy problem is 

S = Inn~^{Inn{g)) = {{xi,yi)\ yi e'Lp, xi = ±x9i{y - yi)}. (4.7) 

The cardinality of S, [S'] is 2p. Note that if Inn(g) = Inn{gi), then Inn{g~^gi) = 
Id. It means that g~^g\ is an element of the center of G. Also for any central 
element z, Inn{gz) = Inn{g). So we know that S = Inn~^{Inn{g)) = gZ{G) 
and 



Z{G) = {(a;i,yi)| yi G Zp, xi = ±0i(-yi)}. 



(4.8) 
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The cardinality of the center of G is 2p. Note that the probability to choose m 
and g in the center is smaller than 2p/p^ = 2/p^ r; 0 and 2pjp^ = 2jp^ k, 0, 
respectively. 

For a given Inn{g), m satisfying fy,m] = cg is a fixed point, i.e. 
Inn{g)‘^^{m) = m. The cardinality of Z[g] = {m \ [g,m] = ec} is 2p^ if we 
choose q of order p Uni and thus the probability to choose m in Z[gl is smaller 
than 2p2/p3 = 2/p 0. 

Remark 3. From Theorem 2 in section 4.3, DLP in G is reduced to a linear 
equation ny = Y for given y ^ 0,Y, and so it is an easy problem. 

4.2 Parameter Selections 

We will apply the above scheme to G = SL(2, Zp) xgZp. Since the last component 
is invariant under the conjugation, we must take the message in SL(2,Zp) (see 

(El)- 

In 1201, we see 




is a generator set of SL(2,Z) and hence it is also a generator set of SL(2,Zp). 
Moreover there exists an algorithm which finds a decomposition of each g G 
SL(2,Zp) as a product of T,S [2|,^n], i.e. 

g = 

where ip, fy+i is either 0 or 1 and fy = ±1, ±2 • • • . 

Theorem 1. If g G 6'L(2,Zp) with non zero {2,l)-entry, 

g = 

Proof. By computing pY , we obtain 

A Ji\ A A jA ( 0 -1\ ( 1 J3\ ^ ( Jij2 - 1 jij2j3 - is - ji\ 

Vo i; vi 0 y A ly A 0 y A A v hjs - 1 a 

From this equation and the fact that Zp is a field, we can find Ji,j 2 ;j 3 such 
that g = for any g G SL(2,Zp). (Since every element of SL(2,Zp) 

is determined when three entries are determined, we only need to consider 3 
entries.) 

Note that since Z is not a field, the above theorem does not hold in SL(2, Z). 
Since {(T, 0), (S', 0), (/, 1)} is a set of generators of G, we can obtain 
Inn{g) if we know gTg~^., gSg~^ and g(I,l)g~^. Since m G SL(2,Zp) and 
SL(2,Zp) is a normal subgroup of G, the restriction of Inn{g) to SL(2,Zp), 
/nn(p)|sL( 2 ,Zp) can be considered as an automorphism of SL(2,Zp). Hence the 
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public key is Inn{g)\s-L{ 2 ,Zp) and drm(( 7 “)|sL( 2 ,Zp)j precisely. In order to express 
Inn{g)\sL( 2 ,i.p), we only need to know {gTg~'^ , gSg~^}. 

We choose 0i(l) among elements of SL(2,Zp) whose order is p, e.g. I + 5\2. 
We compute the order oi g = (x, y) € G.li y ^ 0, then the order of 5 is a 
multiple of p. 

Theorem 2. For (x,y) € G, 

(x,y)” = ((x0i(y))"6»i(t/)"”,nt/). 

Proof. We prove this using induction. For n = 1, it is clear. We assume that 
Theorem 2 holds for n = k. Then we obtain that 

(x,y)''+^ = {x,yf{x,y) = {{x6i{y)fei{b)~^ ,ky){x,y) 

= {{xe^{y))H^{y)-^e{y)\xUk+l)y) 

= {{xe^{y)fe^{y)-^e,{yfxe^{y)-\ {k + l)y) (4.9) 

= {{xe,{y))\xe,{y))9,{y)-^^+^\ {k + l)y) 

= {{x6^{y)f+H^{y)-^'^+^\{k+l)y), 

which completes the proof. 

We may choose g = (x,y) satisfying x9i{y) G A{I + c 5 i 2 )^“^ for some 
fixed c G hp and A G SL(2,Zp). Then we obtain that the order of Inn{g) is p 
by Theorem 2. If we choose g arbitrarily and the order of g is not fixed, then 
the security may be increased since we should know the order of a given cyclic 
group to apply a known algorithm for DLP, i.e. we should solve DLP under the 
assumption that the order of g is pd for each d\{p + l){p— 1). 



4.3 Security and Efficiency 

Security of the system. We check the security of our system against solving 
DLP in {Inn{g)) directly. From the public data, Inn{g) and Inn{g°‘), we solve 
DLP to obtain the secret key a. In this case, it seems that the fastest algorithm 
(index calculus) to solve DLP cannot be applied since (Inn{g)) is contained in 
Aut(G) C End(G) C G^, where End(G) is the endomorphism group of G and 
G‘^ is the set of all function from G to G. We cannot apply the index calculus 
to any of them since they are not even expressed as matrix groups. 

So an expected run time for solving DLP is 0(y^)-group operations if the 
order of g is p. (In order to increase the security of the system, we can choose g 
with an order which is a multiple of p. If p(p + 1) = pf^ ■ ■ -p^, then the total 
number of divisors of p + 1 is (ci + 1) • • • (e„ + 1). To find the order of g, we need 
(ei + 1) • • • (e„ + l)-trials, and it takes (ei + 1) • • • (e„ + l)0(i/p)-group operations 

ini.) 

Now we check the security of our system against the second method in section 
3. As we see in Appendix A, the special conjugacy problem in G is not a hard 
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problem. Let S = {gi\ Inn(gi) = Inn{g°')}. We can immediately obtain a from 
g = {x, y) and 5“ = (X, Y) since if 

{x, yY = {{x6i{y)Yei{y)~'^ , ay) = {X, F), (4.10) 

we only need to solve ay = Y for solving DLP for g and g°‘. But since IS”! = 2p, 
we need 0(p)-trials to find in S. So it is less efficient than finding a from 
Inn{g) and Inn{g°‘) directly. 

For DLP to be a hard problem in {Inn{g)), we choose 160 bit prime p. Then 
the security of our system is comparable to 1024-bit RSA. (An expected run 
time for solving DLP in {Inn{g)) and for factorization in 1024-bit RSA is about 
2®^ and 2®°, respectively.) 

If we compare our system with RSA and XTR, our system has the following 
advantage. In RSA and XTR, an expected run time to find the private key 
from the public key is subexponential, L[n, 1/3, 1.923]. In our system, it takes 
an exponential run time O(y^) as ECC. 

Number of multiplications in Zp. Now we consider the number of multi- 
plications in Zp required for computing Inn{gY from Inn{g). We can express 
Inn{g){S) and Inn{g){T) as and , respectively. Each 

of them takes 2-multiplications by Theorem 1. Then 

Inn{gY(S) = Inn{g){T^^ 

= {Irin{g){T))^YInn{g){S)){Inn{g){T)y^{Inn{g){S)){Inn{g){T)y=‘ 

and 

Inn{gY{T) = Inn{g){Y^ 

= {Inn(g){T))''YInn{g){S)){Inn{g){T)yYInn{g){S)){Inn{g){T)y\ 

From (lO in Remark 1, we can obtain {Inn{g){T)y from Inn{g){T) with 
4-multiplications. More precisely, if 

Inn{g){T)=(^^y^, 

then 

It takes 92 multiplications for computing Inn{gY{S) and Inn{g^){T). So 
it takes about 921og2P multiplications for computing Inn{g^) from Inn(g). 
Also 921og2P multiplications are needed to compute Inn{g‘^^) from Inn{g°‘)- 
So number of multiplications for encryption is 1841og2p. Since one multi- 
plication needs 0((log2 p)^)-bit operations |2|, the encryption needs about 
184(log2p)®C' Ri 8 X 10®C-bit operations for some constant C. In 1024-bit RSA, 
it takes (log2 n)®C Ri (1024)®C ~ 10®C-bit operations. If the public exponent in 
RSA encryption scheme is 32-bit number, then it takes 3.2 x lO^C-bit operations. 
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Fast encryption and decryption. We can reduce the number of bit operations 
as follows. Assume that Bob wants to send an encrypted message to Alice. Then 
Bob computes Inn{g°‘)^ and Inn{g^) for a fixed b and send Inn{g^) to Alice. 
As we see in section 3, we may fix b, i.e. contrary to ElGamal encryption, we 
cannot obtain m^^m 2 from Inn{g^){mi) and Inn{g^){m 2 ) in our scheme . Alice 
computes Inn{g^)~°‘ . Bob will encrypt a message m as if = Inn{g°‘)^{m) and 
send E to Alice. Alice will decrypt E by computing Inn{g^)~°'{E). 

In order to compute Inn{g°‘)^{m) from given Inn{g°‘)^ and m, it takes 46 
multiplications, and so it takes about 1.2 x 10®C-bit operations in encryption. 
Even if 32-bit public exponent is used in RSA, 3.2 x lO^C-bit operations are 
needed in encryption. Encryption of our system is about 30 times faster than 
1024-bit RSA. 

In decryption of our system, we need the same number of multiplications as 
the encryption. In decryption of RSA, it takes about 2.5 x lO^C-bit operations 
even if we use the Chinese Remainder Theorem. Thus decryption of our system 
is 200 times faster than that of RSA. 

If we compare our system with ECC, our system has an advantage in the 
decryption too. In ECC, since b is not fixed, precomputations of g^ is impossible. 
Then the number of multiplications for decryption in 170-bit ECC are 1900, 
respectively. Then it is about 40 times faster than ECC. 

In ECC, it needs 0(log2p) multiplications in decryption, and thus the num- 
ber of multiplications will increase linearly with respect to the number of bits 
log 2 p. The decryption of our system always needs 46 multiplications which are 
independent of the size of p. In Table 1, we roughly compare the number of mul- 
tiplications for decryption in our system with ECC. Note that the cryptosystems 
in the same row have the same securities roughly. 

This fast scheme can be useful in many applications. 

Table 1. Comparison of run times for decryption with ECC(multiplications) 





our 


PKC(r-bit) 


r-bit ECC 


r = 170 




46 


1900 


r = 240 




46 


2700 


r = 310 




46 


3500 



Remark 4- We can encrypt a message with a padding as follows (see also HEI). 
Let M 0 be a message and ri,r 2 be random numbers in Zp. We encrypt 

m = [^ G SL(2, Zp). Then m can be an element of any conjugacy class 

\^2 M / 

by varying ri , r 2 . It prevents an adversary from determining the right plaintext 
among two given plaintexts by examining the conjugacy class of E. Furthermore, 
since b is fixed, the encryption and the decryption is also fast but the encryption 
scheme is not deterministic. 
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Expression and key size. Since Inn{g°‘){T) and Inn{g°‘){S) can be considered 
as elements of SL(2, Zp), we can express them by three entries. Since Inn{g°^){T) 
can be expressed by 31og2P-bit, 61og2P-bit are needed to express Inn{g°‘). If p 
is a 160-bit prime number, then it takes 960-bit to express Inn{g°‘). So we can 
express the public key with smaller size than RSA. 

The secret key size is log 2 P ~ 160-bit, and so it is much smaller than 1024-bit 
RSA. 

5 Other Examples 

5.1 The General Linear Group GL(fc, Zp) 

One of the most familiar non abelian group is the general linear group GL(fc, Zp). 
Since cl is a central element for any c yf 0, the center of GL{k, Zp) is sufficiently 
large, i.e. |Z(GL(fc,Zp)| > p/2. We know that Inn{g) can be represented by 
a linear map on the k x A:-matrix ring So we can represent Inn{g) by a 
k^ X fc^-matrix, R{g). So the DLP on {Inn{g)) is convertible to the DLP on the 
X fc^-matrix ring. 

We must be careful in the choice of g. Gonsidering an attack using the de- 
terminant HSl, we choose g whose order is much larger than p (e.g. p(p — 1)). It 
would be better to choose g satisfying that det{R{g)) = 1. Also the characteristic 
polynomial of R{g) should be irreducible. 



5.2 Other Constructions 

We introduce some methods to obtain non abelian groups. For a given non 
abelian group G, we can obtain a new non abelian group Inn(G) as we see in 
previous sections. Also Inn{Inn{G)) can be obtained from Inn{G). Inductively 
we can make many non abelian groups from a given non abelian group. Since 
Inn{G) = G/Z{G), this method reduces the size of a given group. 

Extensions of non abelian groups is obtained as follows. First, Let 6*i be a 
homomorphism on G. (It may be the identity map.) We define d as follows: 

d = Inn o 9i : G — >■ Aut{G) 

g Inn{9i{g)) 

Then we construct an extension of G, G = G x ^ G. We can easily obtain Z{G) = 
{(A, Y) S GxgG I x,y S Z{G)}. If we use the group G in section 4, \Z{G) \ = 4p^. 

Secondly, Let G be a non abelian group and iL be a subgroup of auto- 
morphism group Aut(G). We construct a non abelian group naturally. Let 
9 = Id. Then we can easily obtain G Xg H. For example, we can always obtain 
Inn{G) = G/Z{G) and G Xg Inn{G). If we know other subgroups of Aut{G), 
we can construct many useful non abelian groups. 
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Nilpotent group G — (Zp X Zp) Xe Zp. Since Aut(Zp x Zp) = GL(2,Zp), 
we can make the following non abelian group. There exists an injective homo- 
morphism 

0 : Zp SL(2,Zp). 

Then we can construct G = (Zp x Zp) x gZp. Since G is a p-group, it is a nilpotent 
group. Hence G has a non trivial center and its cardinality is at least p. 

In this case, a generator set of G is {ei = (1, 0, 0), 62 = (0, 1, 0), 63 = (0, 0, 1)} 
and we can easily express any elements of G as a product of e^’s. Then 

Inn{{X,y)){ei) = (6»(y)((l, 0)), 0) 

and 

Inn{{X,y)){e 2 ) = (0(p)((0, 1)), 0). 

So 9{y) G SL(2, Zp) can be easily obtained. If = (X', j/“) and g = {X, y), then 
we can obtain 0(p)“ and 6{y). We can solve DTP in SL(2,Zp) as in the Remark 
1. Hence the cryptosystem in section 3 is not secure in G = (Zp x Zp) Xg Zp. 

Since the variables X, y are separated, this phenomenon occurs. We note here 
that X, y are separated since the subgroup Zp x Zp is abelian. To prevent the 
separation of variables, we suggest the following non abelian group. 



Semi-direct product G — (Zp Xg^ Z^) Xg^ Zg. We replace the abelian group 
Zp X Zp by Zp X Zg, where g is a prime satisfying q\{p—l). Then we can prevent 
the separation of variables. Since Aut(Zp) = Z* = Zp_i, we can make Zp Xg^ Zg, 
where 9i is an injective homomorphism from Zg to Z*. We denote Zp Zg by 
H. Then H is not abelian. 

We will apply the same method as in section 4.2. We can consider Zg as a 
subgroup of H. Its conjugate is also a cyclic subgroup of order q. Let K be one 
of the conjugates of Zg in H . Then there exists an isomorphism 9' from Zg to 
K, and 9^ = Inn o 9' . 

Equations (f4.b|l .()4.tijl. 14.71) also hold in G = (Zp Xg^ Zg) Xg^Zg. Then we can 
find the center of G of order q as in 4.2. 

In this case, we denote a generator set of Zp xg^ Zg by ei = (1,0,0) and 
62 = (0, 1, 0). Since Zp is a normal subgroup of G, we assume that Inn{g){ei) = 
(oi,0,0) and Inn{q){e 2 ) = (61,62,0). We can prove that 



^ ^0i(w)-l 



= ( g,(i)^-i 



for (z,w) G Zp xg^ Zg by induction. Then we have for q = (xi,X 2 ,y), 



/nn(g^)(ei,0) = lnn{g){ai,0,0) = (/nn(g)(ei))“i = (ai,0, 0)“^ = (oi,0,0) 



and 
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Inn{g^){e2,Q) = /nn(g)(&i, 62, 0) = (/rm(g)(ei))^^(/rm(5')(e2))'’'' 



= (ai, 0 , 0 )*’i( 6 i, 62 , 0 )''" = (aibi,0,0)( ^^||j^^ _ | 6i,b^,0) 






From this, we obtain that Inn{g^){ei) = a\ € Zp. Since H = Zp xg^ Zg 
is not an abelian group, the order of 0i(l) is q. Thus DLP in {Inn{g)) can be 
reduced to DLP in Zp, and so the cryptosystem in section 4 is not secure in 

G = (Zp Xgj Zq) Xg^ Wjq. 

The reason of this phenomenon is Zp is an abelian normal subgroup. If a is 
a generator of an abelian normal subgroup, then Inn{g)(a) = a® for some s and 
Inn{g^){a) = a® .So we can reduce DLP in {Inn{g)) to DLP in {a) C Zp. If 
we use Inn{Inn{G)) instead of Inn{G), we can avoid such an attack. 



6 Concluding Remarks 

We have presented a novel public key cryptosystem (based on a finite non abelian 
groups) and suggested some examples of finite non abelian groups. There may 
be other non abelian groups to be used in our system. However we must be 
careful in applying a non abelian group to our cryptosystem in order that the 
cryptosystem is secure. As we see in section 5, we should check the following: 

- The existence of abelian normal subgroup reduces the security of the cryp- 
tosystems. So any abelian normal subgroup must be of small order. 

- The algorithm to express an element of G as a product of generators must 
be efficient. 

- Since Inn{g) is expressed as {Inn{g){'^i) S G | 7^ is a generator}, both the 
number of generators and bits needed to express an element of G must be 
of small order. 

We may use other homomorphisms from G to Aut(G) instead of the inner 
automorphism (if exists). Also we can consider the DLP in the endomorphism 
group End{G). 

If we know any representation of G, G can be considered as a subset of a 
large matrix group up to the kernel (we call a homomorphism from G to a matrix 
group a representation of G). Hence the representation of G is very useful for 
cryptosystem as in section 3. If we use DLP in a subgroup (5) of a non abelian 
group and a representation R of G, it would be better to choose det{R{g)) = 1 

m- 
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Appendix A : Special Conjugacy Problem in Matrix 
Groups 



Let G be a matrix group, for example GL(2, R) or SL(2, R), where i? = Z or Zp 
for a prime number p. We will solve the special conjugacy problem in G. Let 



A = 




X = 
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We will find X from XAX ^ for A G G. Let 

and XAY- = (; ^ 

From the above equation, we obtain the following linear equations, 

ax = ax + f3z 
az = jx + 6z 
bx + dy = ay + (3w 
bz + dw = 72 / + 5w. 



From the first equation, we can easily obtain the ratio of x to z, i.e. {a—a)x = fdz. 
(Note that we cannot obtain other ratios as we see in Example 2.) 

Similarly, if we solve the conjugacy equation for XA'X~^ and 



A' = 




,c' yf 0 



we can also get another linear system. If we replace /3z by {a — a)x, we can obtain 
remaining ratios between x,y,z and w. So we can solve the special conjugacy 
problem in G easily. By Example 2, we can easily understand the procedure. 

Note that the conjugacy problems in SL(2, i?) or GL(2,i?) are not difficult 
since we can obtain at most two linear equations by the conjugacy equation. 

Example 2. In the author suggested a public key system using SL(2,Z). It 
was shown that this system is not secure in [3|. For the point based scheme in 
0, we can find the secret key if we solve the conjugacy equations directly as 
above. Let 

^=(l"o0 



Then {A,B} is a generator set of SL(2,Z). Furthermore, A^ = = —I, 

and so every element in SL(2,Z) can be expressed as the normal form 
EA'^'^B ■ ■ ■ BA'^^ , where ij = 0, 1 or 2. In the public key system suggested 

in 0, they use a semi-group generated by {Vi = {BAY, V 2 = {BA"^)^} for given 
i,j > 2. The public key is {MV\M~^ , MV 2 M~^} and the secret key is M. In 
order to find the secret key from the public key, we must solve the conjugacy 
equations. For example, let 

F, = [BAf = = (J ^1') " = (5 2) 

Then the public key is 
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Put 




and find M by solving the conjugacy equation for V\ and MViM We obtain 
the following linear equations: 



4a: — 2y — 2z = 0 



4y — 2w = 0 
8x — 4z — 2w = 0 



8y — 4w = 0. 



Then we have 2y = w. (Check that we cannot obtain other ratios from these 
equations.) 

If we solve the conjugacy equation for V 2 and MV 2 M~^, we obtain that 
5a; = 8z and x + 15y — 9w = 0. Replacing w by 2y, we have x = 3y so 2x = 3w. 
Hence we obtain the secret key 



for some C. Since det(M) = 1, we obtain that C = 1. 

We should note that the dimension of solutions in GL(2, R) is always larger 
than 1. From one conjugacy equation, we can obtain at most two linearly inde- 
pendent equations. Combining two conjugacy equations, we obtain three linearly 
independent equations and one dimensional solutions. In SL(2,Zp), we obtain 
only one solution. We can apply the same method to any other Vi, V 2 which are 
suggested in | 2 |. 
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Abstract. Recently the braid groups were introduced as a new source 
for cryptography. The group operations are performed efficiently and the 
features are quite different from those of other cryptographically popular 
groups. As the hrst step to put the braid groups into the area of pseu- 
dorandomness, this article presents some cryptographic primitives under 
two related assumptions in braid groups. First, assuming that the conju- 
gacy problem is a one-way function, say /, we show which particular bit 
of the argument x is pseudorandom given f(x). Next, under the decision 
Ko-Lee assumption, we construct two provably secure pseudorandom 
schemes: a pseudorandom generator and a pseudorandom synthesizer. 



1 Introduction 



The notions of pseudorandomness and onewayness which are closely related are 
quite important in modern cryptography [8I1I17I1™ . These concepts are infor- 
mally stated as: (i) A distribution is pseudorandom if no efficient algorithm can 
distinguish it from the uniform distribution m- ( ii) A function is one-way if it 
is easy to evaluate but hard to invert 0. 

Recently, some mathematically hard problems in braid groups have been 
proposed as new candidates for cryptographic one-way functions IM . A braid 
group Bn is an infinite non-commutative group naturally arising from geometric 
braids composed of n strands. One of the famous problems in braid groups is the 
conjugacy problem: Given (a,/3) G Bn x Bn, find (or determine whether there 
exists) X S Bn such that /3 = This problem was first introduced in the 

1920s, and no polynomial-time algorithm is known for n > 5. A variant of this 
problem was first applied to cryptography to build a key agreement scheme by 
Anshel et al. |2|. 

Ko et al. 021 introduced another variant of this problem: Given a,Xi ^Q^Xi> 



€ Bn, where xi and X 2 are contained in some known subgroups of 



X2 ^«X2 



Bn SO that X 1 X 2 = X 2 XI) find X^ xr o:XiX 2 S R„. For convenience, we call 
this problem the Ko-Lee problem. The Ko-Lee problem looks like the Diffie- 
Hellman problem in their structures, but it does not in their internal properties 
because of the different characteristics of the braid groups from finite commuta- 
tive groups. For instance, a braid group is non-commutative and it has no finite 
subgroup except for the trivial subgroup. As the basis of the Ko-Lee problem. 
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they introduced, by restricting the conjugacy problem to a smaller braid group, 
the {n,m)- generalized conjugacy problem (GCP): Given {a, (3) € Bn x Bn and 
m(< n), find y G Bm such that (3 = Like the conjugacy problem, the 

GGP and the Ko-Lee problem have no polynomial-time solving algorithm yet. 

The motivation for this article is that the braid groups have potential for a 
good source to enrich cryptography from the point of view of their features and 
efficient operations. In the sequel to key agreement schemes Ecg and a public- 
key cryptosystem m, we discuss how to construct cryptographic primitives in 
the area of pseudorandomness from the two related assumptions in braid groups: 
the intractability assumptions of the conjugacy and the Ko-Lee problems. We 
call the latter the Ko-Lee assumption (KL- Assumption). 



1.1 The Ko-Lee Problem 

As a basic pseudorandom primitive, a pseudorandom generator is informally 
defined to be an efficient algorithm expanding short random bit sequences into 
long pseudorandom bit sequences [UHl- 

Naor et al. first introduced the notion of pseudorandom synthesizer as 
a stronger one than pseudorandom generator in the following sense: While a 
pseudorandom generator, G, guarantees the pseudorandomness of {G(zi)}i<i<„ 
only when z\, . . . ,Zn are chosen uniformly and independently^ a pseudorandom 
synthesizer, S, guarantees the pseudorandomness of {S'(2:i)}i<i<ra even when 
the ZiS are not completely independent. Loosely speaking, a pseudorandom syn- 
thesizer is a two variable function so that if polynomially many random 

assignments are chosen to both variables, (a;i, . . . ,Xm) and (yi, . . . ,ym), then 
the output of S on all the combinations of these assignments, {S{xi, yj))i<i,j<m, 
is pseudorandom. 

Our Result: From the KL- Assumption, we formally derive a decisional ver- 
sion mentioned to refer to the security of the braid public-key cryptosystem 
m- Under the decision Ko-Lee assumption (DKL- Assumption), we construct a 
pseudorandom generator and a pseudorandom synthesizer and show that they 
are provably secure. 

1.2 The Conjugacy Problem 

The Ko-Lee problem was originally proposed as a variant of the conjugacy prob- 
lem to induce a trapdoor one-way function (for a public-key cryptosystem). 
However, it looks easier to solve than the conjugacy problem. Since pseudoran- 
domness needs no trapdoor, the conjugacy problem itself can be considered. 

If / is a one-way function, every bit of the argument x cannot be easily 
computed from f{x). A natural question is whether there is a specific bit of x 
which is not distinguished from a random bit by any efficient algorithm given 
f{x). This question was first addressed by Blum et al. |H|. Demonstrating such 
a pseudorandom bit for the discrete exponentiation function, they introduced 
the notion of hard-core predicate as a cryptographically useful tool. Loosely 
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speaking, a hard-core predicate 6 of a function / is a polynomial-time computable 
boolean predicate such that b{x) is hard to predict from f{x). So far, two kinds 
of hard-core predicates have been proposed. On the one hand, for a few one-way 
function /’s, there has been discovered a particular bit of x, the so-called hard- 
core hit, which is the source of b{x) by the unique characteristic of / |8I1| . For 
instance, Alexi et al. ^ showed that b{x) points to the least significant bit of x for 
the RSA and the Rabin functions. On the other hand, for any one-way function, 
one can make a hard-core predicate by Goldreich-Levin’s construction M More 
precisely, for any one-way function /, the inner-product mod 2 of a: and r is a 
hard-core of g{x,r) {f{x),r). To distinguish these two kinds of hard-core 
predicates, we call the former kind the peculiar one and the latter kind the 
generic one. 

Considering that among a number of known one-way functions only the RSA, 
the Rabin, and the discrete exponentiation functions have their peculiar hard- 
core predicates, it is interesting to find it for the conjugacy problem. It indicates 
which bit of the solution is equally difficult to compute as the entire solution. 

The conjugacy problem in braid groups is quite different from those above 
one-way functions in the sense that it is not a group homomorphism. Since such 
a property is the basis for the construction of the previous peculiar hard-core 
predicates, we should take a completely different way to construct a peculiar 
hard-core for the conjugacy problem. 

Our Result: We first present a collection of one-way functions, CNJ, under 
the intractability assumption of the (n,n— 1)-GCP, which is almost the conju- 
gacy problem from a computational complexity point of view. And we present 
two hard-core bits of CNJ. Using one of them, we construct a peculiar hard- 
core predicate, inf, and prove that predicting inf(cc) from CNj(a;) is as hard as 
inverting CNj(x). Likewise the other hard-core bit. 

1.3 Outline 

In ^ we introduce some notations and briefly describe the braid groups. In 
we examine the bit security in the conjugacy problem (D, present a collection 
of one-way functions based on that problem (SD, and construct a hard-core 
predicate of the one-way function 1 113.31 . In ^ we construct a pseudorandom 
generator (EH) and a pseudorandom synthesizer (S3- 

2 Preliminaries 

2.1 Notations 

Basic notation: Let N and Z denote the set of all natural numbers and the 
set of all integers, respectively. For any bit-string x, ||a;|| denotes its length (i.e. 
the number of bits in x). For a finite set S, denotes the cardinality of S and 
Ill'll denotes the maximum among the bit-lengths of elements of S. The notation 
denotes an (n x m)-matrix whose (f,j)-entry is atj. 
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Probability notation: The following notations are based on piTBp . 

A probability distribution on a finite set S assigns a probability T>{s) > 0 
to each s £ S, and thus ^ distribution T>, \D] denotes the 

support of V (the set of elements of positive probability). If a random variable 

T> 

X is distributed according to T> on S, we write x S, or simply x T> ii the 
set S is obvious from the context. The notation xi, . . . ^ P indicates that 

n random variables xi, . . . , are independently distributed according to T> on 

S. 

If / is a function mapping S' to a set T, then {f{x) : x <— T>) is a random vari- 
able that defines a distribution £, where for all t £ T, £{t) = J2seS f(s)=t ^(^)- 

If A is a probabilistic algorithm, then for any input x,y, . . . the notation 
A{x, y, . . . ) refers to the probability distribution induced by its internal random 
coin tosses. So if x T>,y <—£,.. . are random variables, then {A{x, y, ■ ■ ■) : 
X •<— y £- £;...) represents the random variable distributed according to 
T>,£, . . . and its internal random coin tosses. 

We let a; S indicate that x is uniformly distributed on S; i.e., for all s £ S, 
Pr[x = s : X -(A S] = 1/|S|. 

For probability distributions T>, £,..., the notation Fr[p{x,y, . . .) : x £- 
T>-,y £- £',■■■] denotes the probability that the predicate p{x,y,...) is true 
after the (ordered) execution of the algorithms x T>,y -(^ £, etc.. 

PPTA is short for “probabilistic polynomial time algorithm in its input 
length(s)”. 



2.2 The Braid Groups 

In this section, we briefly review some basic material for braid groups. See 0 
II ()|7IJ for details. For each integer n > 2, the n-braid group Bn is defined by the 
following group presentation 



B 



n 




1 ^n—1 



= CTjCTjCTj if \i - il = 1 
UiOj = GjOi if \i — j\ >2 



The integer n is called the braid index and each element of Bn is called an n- 
braid. An n-braid has the following geometric interpretation: it is a set of disjoint 
n strands which run essentially to the same direction (our convention is vertical 
direction). The multiplication afd of two braids a and j3 is the braid obtained 
by positioning a on the top of /3, the identity e„ is the braid consisting of n 
straight vertical strands, and the inverse of a is the reflection of a with respect 
to a horizontal plane. Examples are given in Figure Q (a,b,c). Henceforth, let Oi 
denote only a generator of the corresponding braid group. 

denotes the monoid defined by the generators and relations in the above 
presentation, and its elements are called positive n-braids. To each permutation 
7 T = 6162 • ■ ■ we associate a positive n-braid obtained by connecting the upper 
i-th point to the lower bi~th point by a straight line. Such braids as this are called 
permutation braids or canonical factors. The permutation n-braid corresponding 
to the permutation (n)(n — 1) • • • (2)(1) is called the fundamental braid and de- 
noted by An- See FigureOI (d) for example. For a £ B+, define two sets S(a) = 
{i \ a = <TiP for some j3 £ } and B(a) = {i \ a = fdat for some f3 £ 5+ }. 
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1 i i+1 n 1 i 2+1 n 



(b) cr. 1 (c) CT 2 CT 1 +2 

Fig. 1. An example of braids 






(d) Z\4 



Every braid y S Bn has a unique decomposition called the left- canonical 
form, X = ^nXi ■ ■ ■ Xk, where u € Z and Xi’s are permutation braids except 
for e„ and Z\„ such that F{xi) 5(xi+i)- In this article, all the braids are 
supposed to be in their left-canonical forms. Hence, for a,P G Bn, a.p means 
the left-canonical form of a/3 and so it is hard to guess its original factor a or /3 
from a/3. 

For m < n, Bm is regarded as the subgroup of Bn generated only by 
<7i, . . . ,CTm-i of Bn, and so Am{G Bn) is a permutation n-braid correspond- 
ing to a permutation (m)(m — 1) • • • (2)(l)(m -|- l)(m -I- 2) • • • (n). 

Due to |1 Df7j . braid groups with all their operations — multiplication, inver- 
sion, converting into left-canonical forms — are efficiently handled by computers. 



3 Hard-Core Predicate 

From the intractability assumption of the conjugacy problem, one can naturally 
derive a one-way function, CNJq, : Bn — > Bn, defined by CNJq,(x) = X~^o;X, 
where a G Bn- 

Our goal in this section is to construct a pecw/far hard-core predicate of CNJo,. 
Therefore, we should discover for CNJq, the hard-core bit of a braid into which 
the one-wayness of CNJq, is transformed. 

Notice that we are in different situation from previous ones for the following 
reasons: (i) A braid is not naturally expressed as a digit, (ii) CNJq is not a 
group homomorphism. By (i), we should find a different type of bit from the 
least significant bit (for RSA, Rabin) or the most significant bit (for discrete 
exponentiation function) [^. Since such a bit must be an invariant of a braid, 
let us consider the left-canonical form. Recall that any braid x £ Bn is uniquely 
expressed in its left-canonical form x = ’ ' ' Xv Here, each of the integers 

u, p, and u -|- p is called the infimum, the canonical-length, and the supremum 
of X and denoted by inf(x), len(x), and sup(x), respectively. Because they are 
invariants of a braid, the hard-core bit may be derived from some of them. In 
contrast to (ii), the homomorphic property of the other one-way functions was 
essential to find their hard-core bits IHIII Therefore, we should approach our 
problem in a new way. 
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3.1 Candidates for the Hard-Core Bit 



The following two propositions show the key properties of the infimum and the 
supremum to be the hard-core bits. 

Proposition 1. Let x = G Bn, where ip G Then for any 

generator a i of B„, 






inf(x) ifiGF{ip) 
inf(x) — 1 otherwise. 



Proof Note that for any XI1X2 G Bn, inf(xiX2) > inf(xi) + inf(x2)- Using 
this, we get inf(x) — 1 < inf(xcr“^) < inf(x). Thus it suffices to show that 
inf(xCT~^) = inf(x) if and only if i G F{ip). li i G F{ip), then ip = ipicrt for 
some ip I G Bif — AnBf^ and inf(xo-j = inf(Z\“(^i) = u = inf(x). Conversely, 
if inf(xcr“^) = inf(x), then = ^nT2 for some ip2 G B+ - AnB+. This 

implies that ip = ip2<Ji and so z S F{ip). □ 



Proposition 2. Let Af,xi ' ' ‘ Xk be the left-eanonical form of x ^ Bn- Then for 
any generator Ui of Bn, 

sup(xa,) = |®'^P;^| + ^ */*eF(xfc) 

[ sup(x) otherwise. 

Proof. If z € F(xk), then it is clear that sup(xCTi) = sup(x) + 1 - Otherwise, XkO'i 
is a permutation braid, so that sup(xo"i) < u + k = sup(x). Since sup(xCTi) > 
sup(x), we have sup(xCTi) = sup(x). □ 

From now on, we consider only the infimum. By Proposition 0 the supremum 
can be dealt with similarly to the infimum. 

Proposition 0 shows a clue to finding a hard-core bit for the conjugacy 
problem in the following way: Loosely speaking, given (a,x~^ax): U an adver- 
sary is allowed to access to an oracle IMF which on input outputs 

inf(C) mod 2 for all C G Bn, then (s)he can detect the last generator of x by 
comparing lMF{a,x~^oix) with lMF{a,aiX~^otxo'f^)- fo recursive way, 
(s)he finally obtains the entirety of x- 

The existence of IMF assumes that = C:T^Q:C2 implies inf(:^i) = 

inf(C2) mod 2 . However, it does not always happen. For example, if a = and 
C2 = AnCi, then = C,f^aC,2 but inf(C2) = inf(Ci) -I- 1 . Since a has a major 

influence on the complexity of the conjugacy problem, a cannot be arbitrarily 
chosen but must satisfy some property. 

Definition 1. We say that a G Bn is centralizer- free in Bm if for any x G 
Bm {m <n), x« = ax implies x = e^- 

Note that if a is centralizer-free in Bm, then = Cf^aC,2 (Ci)C2 G Bm) 

implies = C,2, and hence inf(Ci) = inf(C2). 

We claim that if we choose a G Bn at random, then it is centralizer-free in 
Bn-i with negligible exceptions. Because the argument needs dynamics of disc 
homeomorphims, which seems beyond the scope of this article, we briefly list 
some known facts. 
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Fact 1. Braids are classified into three dynamical types — periodic, re- 

ducible, pseudo-Anosov — by the Nielsen-Thurston classification of surface au- 
tomorphisms The periodic and the reducible types are of extremely 

special forms and the pseudo- Anosov one is of typical form | 25 |. 



Fact 2. The pseudo- Anosov n-braids are centralizer- free in i?„_i (See [?T]L 

It seems that if we choose at random an n-braid a with p canonical factors, 
then it is pseudo- Anosov with probability almost 1 — 

The following proposition shows that the least significant bit of the infimum 
has potential for the hard-core bit for CNJq,. 

Proposition 3. Let a S Bn be centralizer-free in Bn-i and XNT be as above. 
Then CNJq, is inverted for all x € — An-iBi^_^ by invoking XJ\fT polyno- 

mial in (n,len(x)) times. 

Proof. We exhibit a basic algorithm that inverts CNJ„ by making calls to XMT. 
Using Proposition n the algorithm on input (a,x“^ax) finds x generator-by- 
generator from right to left of x- In the middle of the execution, the variable x' 
will contain the right half of the generators of x and the variable (3' is such that 
CNJ“^(/3') = the left half of the x- The algorithm, abstractly, transfers the last 
generator of CNJ“^(/3') in front of x' until CNJ“^(/3') = e„_i, and thus all of x 
is reconstructed in x' ■ 

1- /3' ^ X~^oix, x' ^ e„_i. 

2. for i = 1 to n — 2 do 

2.1. iiXNT{a,ail3'(T-^) = XJ\fJ^{a, (3'), then 

X' ^ CTix'; id' ^ cr,/3'cr,"\ 

2.2. if f3' = a, then go to step 3, 
else, go to step 2. 

3. output x' ■ 

Note that every n-permutation braid is composed of at most genera- 

tors of Bn. So, the running time of the above algorithm is 0(n^len(x)T), where 
T is the running time of XNT . □ 

3.2 Construction of a Collection of One-Way Functions, CNJ 

The original definition of one-way function refers to a single function operating 
on an infinite domain like / : {0, 1}* — > {0, 1}*. This formulation is suitable for 
an abstract discussion. However, for practical purposes, an infinite collection of 
functions each operating on a finite domain is more adequate. In this context, 
this section describes a collection of one-way functions under the intractability 
assumption of the conjugacy problem. Recall the formal definition of a collection 
of one-way functions. 

Definition 2 (|l2l)- Let L be an index set and for each i € I let Di be a finite 
domain. A collection of one-way functions is a set F = {fi : Di — > {0,l}*}ig/ 
satisfying the following conditions: 
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Cond 1. There exists a PPTA I which on input 1" outputs i € I C\ {0, 1}". 

Cond 2. There exists a PPTA D which on input i € I outputs x G Di. 

Cond 3. There exists a polynomial-time algorithm that on input (i,x) G I x Di 
outputs fi{x). 

Cond 4. For every PPTA A, every polynomial P, and all sufficiently large n’s, 

Pr[/i(^) = Mx) :i^I{l^);x^V{i);z^A{iJi{x))] < p^. 

Intuitively, the (n, m)-GCP becomes harder as m increases because Bm is 
a subgroup of B^. As mentioned in ^ the (n,m)-GCP is a by-product of the 
KL- Assumption which is based on the (n, ^)-GGP m- However, one-way func- 
tions have no problem to be constructed from the conjugacy problem itself. To 
construct a hard-core predicate, from the discussion in jjiii II we consider the 
(n, n— 1)-GGP which is almost the conjugacy problem in terms of computational 
complexity. 

The hardness of the (n,n— 1)-GGP depends on the braid index n, and the 
actual bound of the canonical- lengths of braids it takes. So it is natural and 
practical to take both the braid index and the canonical-length as its security 
parameter. 

def 

Notation. For n S N and i < j G Z, let [i,j]n = {x ^ \ inf(x) > i,sup(x) < 

j}- 

Construction 1. Let / {{n,p) \ n,p G N} be an index set. 

• Vfc = (n,p) G I, let Ik {a G B^ — | len(a) = p} be an instance set. 

Let XQ be a probabilistic algorithm that on input (1", 1^), where k = {n,p) G 
I, outputs an element of Ik . 

def 

• Vfc = (n,p) G I, let Dk = [— p,p]„_i. Let T>Q be a probabilistic algorithm 
that on input (1", 1^), where k = {n,p) G I, outputs an element of Dk. 

• Vfc = (n,p) G Iffia G Ik, define an instance function CNJq : Dk — > B„ by 

CNJa(x) = X~^ax- 

• Vfc = (n,p) G I, let Fk be the random variable defined on {CNJ„}Qg/j, dis- 
tributed according to XQ(V^ , 1^). 

• Let CNJ {Ffejfce/. 

CNJ clearly satisfies Cond 3 because given (a,x) G In,p x one can 

compute the left-canonical form of xT^olx in time 0{p^nlogn) [I If 1 9] . Now we 
check Cond 1,2. Notice that to satisfy Cond 4, 221/(1"', 1^’) cannot be mainly 
concentrated on polynomially many (in k) elements [1 ,3] . 

The proof of Theorem 3 in m is followed by the next corollary. 

Corollary 1. There exists a PPTA whose outputs, on input (1",1^), are dis- 
tributed uniformly over a subset, S, of {x G Bif — AnBif \ len(x) = p}, where 

Therefore, we can have XQ and VQ satisfy Cond 1,2,4 under the intractability 
assumption of the (n, ■«— 1)-GGP. Furthermore, from this corollary and from the 
discussion of a in EH CNJq, can be regarded as 1 — 1 for all sufficiently large 
k = (n,p)’s in I and a randomly chosen a by 11/(1", 1^). Hereafter, saying large 
k means large n and large p. 
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3.3 Construction of a Hard-Core Predicate, inf 

This section constructs a hard-core predicate of CNJ. Recall the original definition 
of a hard-core predicate. 

Definition 3 (p.3]). A polynomial-time computable predicate b : {0, 1}* — > 
{0, 1} is called a hard-core of f : {0, 1}* — >■ {0, 1}* if for every PPTA A, every 
positive polynomial P, and all sufficiently large n’s in N 

Pr[.A(/(x)) = b{x) : x {0, 1}"] + 

Notice that, given (a, x“^ax)j to retrieve x G Dn,p we must know inf(C) mod 
2 from (a, for many C’s in Bn-i which are closely related to x- However, 

any finite subset of B^-i except for {e„_i} is not a group. So it happens that 
for some x’s in Dn,p, some C’s are not in Dn^p. For this reason, the domain of 
hard-core predicate is defined slightly different from the corresponding one of 
CNJ. 

For every k = {n,p) G I, consider a slightly enlarged set of Dk, 

Dk Dk U I X G G {1, • ■ • - 2}}. 

Thus, Dk = [-p,p]n-l C DkC [-{p+l),p]n-l C Dn^p+I. 

Notation, ctq e„. 

For every k = {n,p) G I, define a PPTA 'DQ{V^, 1^) in the following order: 

X^T>0(1",F); i {0, 1,.. . ,n- 2}; output xct,"^ 

Using the infimum and Dk, we now define a collection of boolean predicates 

INF = {iNFfc : Dk — )> {0, l}}fc 67 by iNFfe(x) = inf(x) mod 2. 

The following lemma is crucial to our main result. It shows, for a random 
choice X G Dk, how to turn a PPTA that predicts correctly iNFfc(x) from CNJq,(x) 
with probability non-negligibly higher than 1/2 into a PPTA predicting almost 
correctly. 

Lemma 1. For an infinite subset F of I, let A be a PPTA and P be a positive 
polynomial such that for all k = (n,p) G F 

Pr[A(l", F, a, x-'ax) = iNFfc(x) : a ^ 10(1", F); X ^ ^(1”, 1'’)] > 5 + 

Then for any positive polynomial Q, there exists a PPTA C such that for all 
k = {n,p) G F 

Pr[C(l", F,a,x-'ax) = iNFfc(x) : a ^ 10(1", F);x ^ W(F, F)] > 1 - 

Proof. For every k G F,let N = N{k) jP{k)^Q{k). On every input (1", l^’, a, 
X“^ax)i where k = (n,p) G F,a G [10(1", 1^)], and x G [2?0(F, 1^)], C executes 
the following algorithm: 
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1. Invoke A on input ^ax) independently iV-times. And let 

be the t-th invoking of A for each i G {I,-- - ,A^}- 

2. If IP, a, X“^ax) > output I. Otherwise, output 0. 

For every k = {n,p) G I and every i G {I,-- - ,N}, define a PPTA 
Ci^(I”, F, •, •) induced by A as 



C^(I",F,a,x-'ax) = 



I if iNFfc(x) 

0 otherwise, 



where a G- TQ{1^, F); x ^ VQ{V^, F). 

The independence of ({A^*^(I”, 1^, a, X~^crx)}i<i<Af • cr If/(F,F);x ^ 
2?t/(I”,IP)) yields the independence of ({^*'^(1”, fP, a, x“^o;x)}i<i<Ar : a ^ 
I^?(F, F); X ^ W(l”, F)). And for every i G {1, . . . , iV} 

Pr [C^(F, F, a, y-'crx) = 1 : a ^ 10(1”, F); X ^ W(l”, 1^)] 

= Pr [A(F, F, a, x"'ax) iNFfe(x) : a ^ 10(1”, F); X ^ W(F, F)] 

— 2 ~ Ppi)' 

So (K^(F,F,a,x-iax)}i<i<iv : « ^ I0(F,F);x ^ W(F, F)) are inde- 
pendent and identically distributed random variables with common binomial 
distribution B{l,p), where p <\ — p^- 

From E[C^(F, F, a, x~^ax) : a ^ T0(F, F); x ^ W(F, F)] < | - 
and by applying Chebyshev’s inequality, we get 



Pr 



N 



1 ^ C^(F, F, a, x-'ax) > J ^ 10(1”, F); x ^ I?0(1”, F) 






< P(A;)^Var 



N 



- ^ C^(l”,F, a, x-'ax) : 10(1”, F); x^ P0(1”,F) 

i^l 

Because ({C-^(F, F, a, x-lax)}l<^<w : cr ^ I0(F,F);x ^ W(l”, F)) are 
pairwise independent and because 



Var[C-^(F, F, a, x’^ax) : « ^ 10(1”, 1^); X ^ 2^0(1”, 1^] < ' 



it follows that 

N 



Var 

Thus, 



^ ^ c^(l”, F, a, x-'ax) : « ^ ^0(1”, F); x ^ P0(1”, F) 



N 



2=1 



4 ’ 



< 



4N' 



Pr 



FEfeiC-^(l”,l^FX"'ax) > i :a^I0(F,F);x^I?0(F,F) 



< 



N Z^i=l 

That is to say, 

Pr[C(F,F, a, x’^ax) = iNFfc(x) : I0(F,F); x^ W(1”,F)] > 1 - ^ 



QW 



QW 
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By this lemma and by the basic algorithm in Proposition |3 we get the 
following result: 

Theorem 1. inf is a hard-core predicate o/CNJ. 

Proof. Assume that there exist a PPTA A, an infinite subset F of /, and a 
positive polynomial P such that for all k = {n,p) G F 

Pr[A(l”, F, a, x~^ax) = iNFfc(y) : a ^ 1^(1", F); x ^ W(F, F)] > | + 

From Lemma n there is a PPTA C such that for all k = {n,p) G F 

Pr[C(F, F, a, x~^ax) = iNFfc(x) : a ^ ^^(F, F); x ^ W(F, F)] > 1 - 

Fix k = (n,p) G F. Using the basic algorithm in Proposition 0 on input 
(F, a, x“^Q;x)j where a G- x ^ 2?C/(F,1p), M. executes the 

following algorithm: 

1. /3' ^ x"^ax; X' ^ e„_i. 

2. for u = —p to p do 

2.1. if (3' — then go to step 4. 

3. for j = 1 to n — 1 do 

3.1. f 4^ {0,1,... ,n-2}. 

3.2. ifC(F,F,a,CT*/3'cr"^) = C(F, F, a, /3'), then 

X' ^ cr*x'; P' ^ cr,/3'cr,"\ 
else go to step 3. 

3.3. for u = —p to p do 

3.3.1. if P' = then go to step 4. 

3.4. go to step 3. 

4. output A'f_^x!- 

Each repetition of the above algorithm makes two calls to C independently 
and the number of repetitions of the algorithm is at most p{n — 1)^. By the 
definition of T>Q and A4, for all k = {n,p) G F 

Pr[r V = I'’); X^'DQiiP F); C^M(F, F, Q^x-'«y)] 



□ 

Notice that hard-core predicates are used to construct pseudorandom gen- 
erators in some cases by Blum-Micali’s general method 0. Loosely speaking, 
if F N — > N is a stretching function and / : {0, 1}” — > {0, 1}" is a 1 — 1 

one-way function with a hard-core b, then G(s) b{xi)b{x 2 ) ■ ■ • b{xpn)) is a 
pseudorandom generator, where xq = s and Xi = f(xi-i) for i = 1 ,... ,l(n). 
This method does not apply to inf because CNJa(Fk) is much larger than 
From the fact that most known one-way functions in braid groups (see j1 9p do 
not preserve their finite domains, hard-core predicates in braid groups seem to 
have no relation to this method. 
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4 Pseudorandom Schemes 

The original KL- Assumption is as follows: 

Given a triplet (a, of elements in where x G (f^i; • ■ • > 

CT|^"j_i) and ^ G it is computationally infeasible to 

find 

Let m{n) For every k = {n,p) G I, let m mean m{n) and let LDk 

[—p,p]m- Consider a group monomorphism t : Bn-m — > Bn defined by r((Ti) = 
CTm+i for i = 1, . . . ,n - m - 1. Then = (cr„+i, . . . ,cr„-i) is a subgroup 

of Bn isomorphic to Bn-m- Let RD^ t([— p,p]n-m)- Here, we defined m{n) 
as for notational convenience. Instead, it can take any number around this. 
From the definition of LDk and RDk, for every k = (n,p) G I and every (x, V') G 
LDk X RDk, it follows that: (i) xV' = ''/’X? (n) xV' £ [—PjP]n- (i) is trivial, (ii) 
uses the fact that there exists ( G such that Z\„ = AmT{An-m)C- 

For every k = {n,p) G I and every a G Ik, let Rk^a {C“^aC I C G \-p,p]n}- 
Using these notations, the DKL- Assumption is stated as follows: 

[The DKL- Assumption] 

For every PPTA A, every positive polynomial P, and all sufficiently large k = 
(n,p)’s in I, 

Pr[A{a,x~W,'^~^C(i’,ip~\~^oxip) = l : xt^LDfe; V'tL i?£)fc] 

-Pr[A(o!,x“W.'0~W)/3) = l : X<^ LDk; RDk] Rk,a] 

^ P(fc)- 

Actually, there is no known PPTA sampling x from LDk uniformly at ran- 
dom. However, from Corollary ^ one can construct a PPTA CT>G such that for 
every k = {n,p) G I, CT>Q{\'^ ,1^) is uniformly distributed on [CT>Q{\^ ,1^)] C 
LDk- Moreover, for every polynomial Q, | [£2?C/(1", 1^)] | > Q{k) for all suffi- 
ciently large k = (n,p)’s in I. So, in this section saying that x LDk implicitly 
means two folds. On the one hand, we have such a CDQ as this. On the other 
hand, x CDQ{V^ ,V‘). In other words, LDk means [CDQ{V^ ,V‘)] in a proba- 
bilistic sense. Likewise, let us view x RDk and x t— Rk,a in this way. 

Under this DKL-Assumption, this section constructs a pseudorandom gen- 
erator and a pseudorandom synthesizer which are similar to those based on the 
decision Difhe-Hellman assumption m- Since the securities are proved typically 
by the standard hybrid techniques we only sketch them. 



4.1 Pseudorandom Generator 



Recall the formal definition of pseudorandom generator. 



498 



E. Lee, S.J. Lee, and S.G. Hahn 



Definition 4 ( |26l8| i. A deterministic polynomial-time algorithm, G : {0,1}* 
— > {0, 1}*, is called a pseudorandom generator if there exists a stretching func- 
tion, I : N — ^ N, so that for all x £ {0,1}*, ||G(a;)|| = m|a:||) and if for every 
PPTA A, every positive polynomial P, and all sufficiently large n’s in N 



Pr[^(G(x)) = 1 : X {0, 1}”] - Pr[A{r) = 1 : r 4^ {0, !}'(”)] 



< 



1 

P{n) ■ 



The idea of this section is as follows: Given (a, x~^ctx) for o S Bn, x G ^m, it 
looks hard to find x even if we know {tf~^a'tl!i,x~^'4’f^cttpix)’s for polynomially 
many ipfs randomly chosen in T(Bn-m)- 

Notation. For every k £ I and every a £ Ik, let LRk^a {x~^ctX I X ^ LDk}. 



Definition 5 {VQIQ kl)- An instance generator VGBGkl is a probabilistic al- 
gorithm that on input (1", 1^, 1*), where k = (n,p) £ I and I £ N, executes the 
following: 

a 4 — IC/(1"', IP); ai, ... ,ai LRk^ai output {a, ai, . . . , ai). 

By the definition of IG in a VGB-Gkl clearly runs in polynomial in {k,l) 
time. 

Construction 2. Let I : I — :> N &e a polynomial. For every k = (n,p) £ 
I, a £ Ik, a = (ai,... ,ai) £ {LRk^af , define ga,a ■ RDk — )■ (Rk.aY by 
ga.ai'f) = . . . , 'ip~^ai'ip), where I = l{k). Let Gk be the random variable 

that assumes as values the function ga,a, where the distribution of {a, a) is 

VGIGkl{1^, P, !')• Let Gkl =' {Gk}k^i- 

The following result shows that Gkl is pseudorandom at least as secure as 
the DKL- Assumption. 

Theorem 2. If the DKL- Assumption holds, then for every PPTA A, every pos- 
itive polynomial P, and all sufficiently large k = (n,p) ’s in I, 

Pr[A(g„.«W) = 1 : (o,a) ^ rGTGKL{r,l^,Y)-,i^ RDk] 
-Pr[A(/3i,... ,^i) = l:a^IG{k);Pi,... ,A4^i?fe.„] 

^ p(fe) > 

where I = l(k). 

Sketch of Proof. Fix k = (n,p) £ I and let I = l{k). First, define a PPTA J\4, on 
input {a,x~^<xx,'f~^ct'f,/3) where a £ Ik, X ^ LDk, £ RDk, and f) £ Rk,a, 
from A as: 

1. J4ft{l,... ,Z}. 

2. Xi) • ■ • ) XJ-1 ^ LDk', Pj+ 1, ■ ■ ■ ,Pi£- Rk,a- 

3- H‘^= {xf^ip~^a'tfjxi,--- ,Xj-iV’"^«V’XJ-i,/3,/3j+i,--- ,A)- 
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4. Output A{H). 

Next, for each define the i-th hybrid distribution 



= {^ laiV’,... ,Pi), 

where ,a,) ^ VgigKL{l'^,VA^); ^ RDk] ,Pi^Rk,c.- 

Then we get that 

= 1 : 1^); X^T-Dfc; 

-Pr[7W(o;x“^q)(;,V’“W)/3)=l:a^2:C/(l"F);xt^TT’fc;'i/'t^ RDk;P<^Rk, 
Pt[A{H^’^) = 1 : {a,au ■ . ■ ,ai) ^ PgigKLirA^A');^ RDk] 

- Pr = 1 : a ^ 10(1”, P); Rk,c] 

Using these, the theorem can be proved by contradiction. □ 

So, Gkl generates pseudorandom sequences of braids in Rk,a- A pseudoran- 
dom generator can be constructed from Gkl by making use of the leftover hash 
lemma and pairwise independent hash functions 11811612!^ . 

The expansion property of the pseudorandom generator depends on the 
choice of l{-). Namely, l{-) should satisfy: ^(fc)log 2 \Rk,a\ > 2||i?Z?fc||. Using the 
fact that |i?fe_Q,| > \LDk\ ■ \RDk\, l{n,p) = 2pn suffices. 



4.2 Pseudorandom Synthesizer 

Although the notion of pseudorandom synthesizer was first introduced by Naor et 
al. m as a useful tool to get a parallel construction of a pseudorandom function, 
it is important itself as another type of pseudorandom generator. More precisely, 
pseudorandom synthesizers may be useful for software implementations of pseu- 
dorandom generators because from a pseudorandom synthesizer a pseudorandom 
generator with long output length can be easily defined and subsequences of its 
output can be computed directly. 

Recall the formal definition of a pseudorandom synthesizer: 

Notation (m)- Let / : {0, 1}^" — >■ {0, 1}* be any function, and let x = 
(xi,... ,Xk) and y = (?/i,... ,ym) be two sequences of n-bit strings. We de- 
fine Cf{x,y) to be the (fc x 7n)-matrix {f(xi,yj))ij. 

Definition 6 (p3j). Let I : N — > N be any funetion, and let S : {0,1}* x 
{0,1}* — > {0,1}* be a polynomial-time eomputable function such that for every 
x,y € {0,1}", ||S'(a;, t/)|| = l(n). Then S is a pseudorandom synthesizer if for 
every PPTA A, every two positive polynomials P and m, and all sufficiently 
large n ’s 

|Pr[A(Cs(a:,?/)) = 1] - Pr[A{{r^j)i<ij<m) = 1]| < 

where m = m(n) and xi,. .. ,Xm,yi, ■ • ■ , J/m {0, 1}"; x = (xi, . . . ,Xm), y = 
(yi, • ■ • ,y-m); ri.i, . . . ,rm,m ^ {0, 1}'("^. 
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As mentioned in cn the notion of pseudorandom synthesizer is stronger 
because pseudorandom synthesizers require that {S'(2i)}i<i<m2 remains pseu- 
dorandom even when the Zi’s are of the form {xi o where o stands 

for X concatenated with y. If /(n) > 2n for all n G N, a pseudorandom syn- 
thesizer directly becomes a pseudorandom generator with m(n) = 1. However, 
every pseudorandom generator is not a pseudorandom synthesizer (See for 
example). 

Now we construct a pseudorandom synthesizer based on the DKL- 
Assumption. 

Construction 3. For every k = (ji,p) G I and every a G Ik, define Sa ■ 
LDk X RDk — > Rk,a by Sa{x,'f’) = Let Sk be the random variable 

that assumes as values the function Sa according to the distribution, IQ{V^ ,VP). 

Let Skl {Sk}k£i- 

Then we get the following result: 

Theorem 3. If the DKL- Assumption holds, then for every PPTA A, every pos- 
itive polynomials I, P, and all sufficiently large k = (n,p) ’s in I , 

|Pr[A(Cs„(x,V')) = 1] -Pr[A((7ij)i<»,j<;) = 1]| < p^, 
where I = l{k) and a G- 1^(1", 1^); xi,... ,x; ^ LDk; X = (xi,--- ,Xi); 

ipi,... ,i>i^ RDk; Ip = {ipi, . ■ . ,tpi); 71 , 1 , . . . ,xi,i ^ Rk,a- 

Sketch of Proof. Fix k = (n,p) G I and let I = l{k). First, define a PPTA A4, on 
input {a,x~^OiX,'ip~^Oi'4’, pi) where a G Ik, X ^ LDk, 4’ G RL>k, and (3 G Rk,a, 
from A as: 

1 . ,P}. 

2 . Compute Ji, J2 such that 1 < Ji, J2 < ^ and J = l{Ji — 1) -|- ^2- 

3. Let XJi X and •0J2 4- 

4. Xi,--- ,XJi-i ^ LDk', 4i,... ,4 j.,-i,4j^+i,... ,4i 4^ RDk', 

4j+1 , ■ ■ ■ , Pp 'G- Rk,a ■ 

5. Define the (Z x Z)-matrix H = to be 

f if Ki -L)+j<J, 

h^^j=l(3 iil{i-l)+ j = J, 

[ /3u, a w l{i — 1) + j > J. 



6. Output A{H). 

Next, for each 0 < r < P, define the r-th hybrid distribution = 

to be 



hij 



4j ^Xi ^aXi4j if 14 - 1) + j < A 

Pw if w l{i — 1) + j > r, 
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where a ^ 11/(1”, 1^); xi, • ■ • ^ LDk] ipi, . . . ,tpi RDk] Pr+i,- ■■ ,Pp 

Rk,a- 

Then we get that 



Pr[7W(a,x \ WV') = 1 : «^2:i/(l”, F); x^i-Dfei 

- Pr [M{o, X” W,/3)=l : a^T0(F,F); X^ RDu\ Rk,a\ 



P 



Pr[^(iff/) = 1 : a ^ 10(1”, F); xi, • ■ • , » ^ V’l, • • • V’i ^ 



- Pr [^(Fo"’') = 1: a ^ 10(1”, F); /3i, . . . , ^ 



Using these, the theorem can be proved by contradiction. 



□ 



5 Concluding Remarks 

This article has considered two related hard problems in braid groups: the con- 
jugacy and the Ko-Lee problems, which are believed to be computationally in- 
feasible in our current state of knowledge. 

Assuming that the conjugacy problem is one-way, we have presented two 
peculiar hard-core predicates that are provably secure using the infimum and 
the supremum of a braid. This means that, given (a, x~^cxx), predicting the 
least significant bit of inf(x) (or sup(x)) is as hard as the entirety of x- 

Under the decision Ko-Lee assumption, we have proposed two practical pseu- 
dorandom schemes, a pseudorandom generator and a pseudorandom synthesizer, 
that are provably secure. 

Braid groups are quite different from the other groups which have been 
dealt with so far. So the known methods to turn hard-core predicates into pseu- 
dorandom generators and to turn pseudorandom generators or pseudorandom 
synthesizers into pseudorandom function generators cannot be applied naively. 
Therefore, a natural line for further research is to study how to get these next 
cryptographic primitives from our results. 
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Abstract. Consider a scenario where an Z-bit secret has been distributed 
among n players by an honest dealer using some secret sharing scheme. 
Then, if all players behave honestly, the secret can be reconstructed in 
one round with zero error probability, and by broadcasting nl bits. 

We ask the following question: how close to this ideal can we get if up 
to t players (but not the dealer) are corrupted by an adaptive, active 
adversary with unbounded computing power? - and where in addition 
we of course require that the adversary does not learn the secret ahead 
of reconstruction time. It is easy to see that t = [(n — 1)/2J is the 
maximal value of t that can be tolerated, and furthermore, we show that 
the best we can hope for is a one-round reconstruction protocol where 
every honest player outputs the correct secret or “failure” . For any such 
protocol with failure probability at most we show a lower bound 

of fl{nl -\- kn^) bits on the information communicated. We further show 
that this is tight up to a constant factor. 

The lower bound trivially applies as well to VSS schemes, where also the 
dealer may be corrupt. Using generic methods, the scheme establishing 
the upper bound can be turned into a VSS with efficient reconstruction. 
However, the distribution phase becomes very inefficient. Closing this 
gap, we present a new VSS protocol where the distribution complexity 
matches that of the previously best known VSS, but where the recon- 
struction phase meets our lower bound up to a constant factor. The re- 
construction is a factor of n better than previous VSS protocols. We show 
an application of this to multi-party computation with pre-processing, 
improving the complexity of earlier similar protocols by a factor of n. 



1 Introduction 

The concept of secret-sharing (introduced by Shamir [I dj i is of fundamental 
importance: in practical data security, as a way to protect a secret simultaneously 
from exposure and from being lost; and theoretically, as the basis for building 
general multi-party secure protocols. 

In the original setting of Shamir, a dealer distributes a secret, say an Z-bit 
string, to n players, by privately sending a share to each player. The computation 
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of the shares is done w.r.t. a threshold value t, where 1 < t < n. Later, some 
subset of the players can attempt to reconstruct the secret by pooling their 
shares. A secret sharing scheme must ensure privacy, i.e., an adversary who sees 
up to t of the shares learns no information about the secret, and correctness, i.e., 
the secret can always be reconstructed from a set of at least t + 1 shares. 

Here, we will first consider a more adversarial setting where up to t of the 
players (but not the dealer) may be corrupted by an active, adaptive and un- 
bounded adversary, in particular, corrupted players may contribute incorrect 
shares (or nothing) in the reconstruction phase. We still require privacy, and 
also correctness in the sense that the honest players can reconstruct the cor- 
rect secret. Consider the following question. How much information must be 
sent in order for such a scheme to work? This question is interesting only if 
n/3 < t < nj2, since otherwise the problem is either ’’too hard” or ’’too easy”: if 
t>nj2 the problem clearly cannot be solved, and if t < n/3, standard methods 
(see H) immediately give an optimal solution with zero error probability. 

Somewhat surprisingly, little work seems to have been done on the case of 
n/3 < t < n/2 (although upper bounds follow from known protocols [12l4j l. It 
is easy to see that for t in this range, one cannot construct a scheme where the 
correct secret is always reconstructed. At best one can make a scheme where 
every honest player outputs the correct secret or “failure”, where the latter 
happens with probability only where A: is a security parameter. For 

schemes that achieve this for the maximal value of t, i.e. t = [(n — 1)/2J, and 
where the reconstruction is completed in a single round, we show a lower bound 
of Q{nl + kn'^) bits on the amount of information sent in the reconstruction. 
This may be seen as an answer to the question “what does it cost to get the best 
possible security in a minimal number of rounds?” . No such bound was known 
previously, and it holds even for schemes that are not efficient. 

We refer to the type of scheme we just described as Honest-Dealer VSS. This 
is because the well-known concept of Verifiable Secret Sharing (VSS), introduced 
in p], is essentially what we just described, except that also the dealer can be 
corrupt. In VSS, distributing the secret may then take the form of an interactive, 
several rounds protocol. One usually assumes that a private channel connects 
every pair of players and that a broadcast channel is availabl^H. A secure VSS 
must, in addition to what we required above, also ensure that immediately after 
the distribution phase, some value of the secret is uniquely defined (even if the 
dealer is corrupt) and that this value will be reconstructed (with overwhelming 
probability). Note that the standard definition of VSS is slightly weaker than 
ours in that it allows honest players to reconstruct (with small probability) an 
incorrect value of the secret, even if the adversary was passive in the distribution 
phase. However, all known VSS protocols for our communication model (see e.g. 
nan) satisfy or can trivially be modified to satisfy our stronger definition. 

Our lower bound for Honest-Dealer VSS trivially applies also to VSS (we 
cannot expect to do better in a more adversarial situation) . 

^ The latter can be simulated by the private ones if t < n/3, but must be assumed as 
a separate primitive otherwise. 
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For an honest dealer, we use known results on authentication codes to show 
that the lower bound is tight up to a constant factor (even if we count the total 
information sent). This scheme establishing the upper bound is computationally 
efficient and can - at least in principle - be turned into a VSS, since the hon- 
est dealer could always be replaced by a secure multi-party computation using 
generic methods (e.g. IHEl l. This, however, is not a satisfactory solution: while 
reconstruction would be the same complexity as before, the distribution would 
become extremely inefficient in comparison. To close this gap, we present a new 
VSS protocol where the complexity of the distribution matches that of the pre- 
viously best known VSS for our scenario but where the reconstruction meets 
our lower bound. This beats previous VSS protocols by a factor of n. 

We show an application of this to multi-party computation with pre- 
processing, introduced in [Ji where the n players ultimately want to compute a 
function / on private inputs xi, . . . , a;„. In order to do this more efficiently than 
starting from scratch, the players are allowed to a pre-processing and store some 
information obtained in this phase before the function and the inputs become 
known. The computation phase of our protocol has communication complexity 
0{nfk\C\), where \C\ is the size of the circuit to be computed. This improves the 
computation phase of earlier similar protocols by a factor of n without increasing 
the complexity of the pre-processing. 

In the appendix, we sketch how our results for a dishonest minority gener- 
alize for almost all t in the range n/3 < t < n/2 and observe that already an 
arbitrarily small linear gap between t and n/2 allows to reduce the communi- 
cation complexity of the reconstruction by a factor of n. Using methods from 
p], we also show how to generalize our schemes to provide security against any 
(non-threshold) adversary (see jHI), improving known results by a factor of 
at least n. Finally, we look at the case where the reconstruction is allowed to use 
more than one round of interaction and observe, using results from |C], that the 
amount of information sent by the honest dealer can be brought down to n{n+k) 
bits, at the expense of a significantly more inefficient reconstruction phase. 

2 Communication Model 

Throughout the paper, we consider the seeure-ehannels model with broadeast 
ra, i.e. there is & set V = {P\,...,Pn} of n players plus a so called dealer 
D, every two entities being connected by a secure, untappable channel, and 
there is a broadcast channel available. We assume an active adversary with 
unbounded computing power that can corrupt up to a certain number t out of 
the n players in V plus the dealer D. An adversary is rushing, if he can learn 
the messages sent by the honest players in each round before deciding on the 
messages for corrupted players in this round. Finally, the adversary can either be 
static or adaptive, the former meaning that he has to corrupt the players before 
the protocol execution and the latter that he can corrupt players at his will 
during the protocol execution, depending on what he has seen so far. Throughout 
the paper, we consider a security parameter k. 
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3 Single-Round Honest-Dealer VSS 

We first model the general communication pattern for VSS schemes where the 
dealer is guaranteed to be honest and whose reconstruction phase consists of a 
single round of communication. We will call such a scheme Single-Round Honest- 
Dealer VSS. Our main point of interest is the communication complexity of the 
reconstruction phase of such a scheme. Consider schemes of the following general 
form, and assume an active adversary who corrupts up to t of the n players Pi, 
but not the dealer (this is also known as robust secret sharing). 

Distribution Phase: The honest dealer generates shares Si = (ki,yi), i = 1 . . .n, 
according to a fixed and publicly known conditional probability distribution 
Psi—s„\s{' ■ ■ |s), where s is the secret. Privately he sends st to player Pi. 

Reconstruction Phase: Each player Pi is required to broadcast iji, which is 

supposedly equal to yi. Locally and by some fixed (possibly probabilistic) 
method, each player Pi decides on the secret s based on his private ki and 
on the broadcast yi, . . . , i.e., either outputs a value s, hopefully equal to 

s, or outputs “failure”. 

It is not difficult to see that in fact we may always and without loss of generality 
assume our schemes of interest to be of this form (please refer to Appendix E}. 

For each of the at most t corrupted players Pj, the adversary can broad- 
cast a manipulated yj , which may depend arbitrarily on the private information 
Sj = (kj,yj) of those corrupted players, or broadcast nothing at all in some cases 
(“crash faults”). Note though that for at least n — t yds it holds that iji = yi. 

If additionally the adversary is rushing, he can choose to “speak last” in the 
reconstruction phase. This means that in principle any corrupted shares may 
additionally depend on the information broadcast by the honest players, in par- 
ticular they may depend on the secret s. By contrast, a non-rushing adversary 
is one who selects the corrupted shares before the start of the reconstruction 
phase. Note that security against non-rushing adversaries makes sense in a com- 
munication model enhanced with a “simultaneous broadcast channel”, i.e., one 
by means of which all players broadcast their information at the same time. 

We define our notion of security. Assume an active adversary that corrupts 
at most t of the n players but not the dealer. Additionally, the adversary can be 
static or adaptive, and rushing or non-rushing. A Single-Round Honest-Dealer 
VSS scheme is {t, n,l — 6)-secure if the following holds. 

Privacy: As a result of the distribution phase, the adversary gains no informa- 
tion about the secret s distributed by the honest dealer. 

(1 — S)- Correctness: In the reconstruction phase, each uncorrupted player out- 
puts either the correct secret s or “failure” , where for every player the latter 
happens with probability at most <5 < 1, independent of s. 

In the special case that the adversary introduces only crash-faults or remains 
passive, all honest players recover the correct secret s with probability 1. 

As mentioned in the Introduction, we focus on the case of a dishonest minority, 
i.e., t = [(n — I)/2J, the maximal value of t for which {t,n,l — i5)-security is 
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achievable. For the corresponding results for a (nearly) arbitrary t in the range 
n/3 <t< n/2, we refer to Appendix O Note that the case t < n/3 is completely 
understood: zero failure probability and optimally efficient communication can 
be achieved by a combination of Shamir’s secret sharing scheme and standard 
efficient error correction techniques PI- 

We stress that our definition of security captures the best one can achieve in 
this setting. Negligible error 5™ is achieved by m parallel repetitions. More im- 
portantly, it only differs from perfect security in the sense that there is a (small) 
probability that some player does not reconstruct the secret and outputs “fail- 
ure” instead. This is unavoidable in the presence of an arbitrary (not necessarily 
rushing) active adversary, as is easy to see (please refer to Appendix El- Fur- 
thermore, existing Honest-Dealer VSS schemes like m ( “secret sharing when 
the dealer is a knight” ) fulfill our security definition without any changes in the 
required communication. 

A seemingly stronger security definition would require agreement among the 
honest players in all cases, i.e., they all recover the correct secret or they all 
output “failure”, where the latter would happen with probability at most S. 
However, this is impossible to achieve in a single round reconstruction phase 
with a rushing adversary, as we show in Appendix E0 

Note also that the reconstruction procedure in our definition is completely 
general in that it does not dictate how the correct secret is recovered by the 
honest players. The definition merely states that from all broadcast and from 
his private information, an honest player can reconstruct the secret. In particular, 
in our definition it need not be the case that an honest player, using his private 
information, “filters out” false shares and reconstructs the secret from the “good” 
ones, as it is the case for known schemes jl 2W\\ and the one we present later. 

4 Lower Bound on Reconstruction Complexity 

We prove the following lower bound. Note that the standard definitions of en- 
tropy, conditional entropy, mutual information and conditional mutual informa- 
tion are used throughout this section. We refer to 0 for an excellent introduction 
to information theory. 

Theorem 1. For any family of Single-Round Honest-Dealer VSS schemes, 
— S) -secure against an active, rushing adversary, the following holds. If 
t= [(n— 1)/2J and 5 S for a security parameter k, then the total inf orma- 

tion broadcast in the reconstruction phase is lower hounded by I2{nH{S) -\- kn^). 

Note that it is immaterial whether the adversary is adaptive or not. 

In the following, we will call Ki the key and F) the public share of player Pi. 
Theorem E follows immediately from 



^ In Appendix O we argue that agreement is possible in the presence of a non-rushing 
adversary. Agreement can be achieved in all cases by adding one extra round of 
communication. 
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Proposition 1. Let Si = (Ki,Yi), . . . , Sn = (Kn,Yn) be distributed aeeording 
to the Single-Round Honest-Dealer VSS seheme. Then, in ease of an odd n, the 
size of any public share Y^ is lower bounded by 

H{Yi) e Q{H{S) + kn) , 

while for an even n, it is the size H{YiYj) of every pair Yi ^ Yj that is lower 
bounded by f2{H{S) + kn). 

We will only prove the case of an odd n, i.e., n = 2t + 1; the proof for an even 
n, i.e. n = 2< + 2, goes accordingly. But before going into the proof, consider the 
following Lemma, which states a well known result from Authentication Theory, 
which can be found in various literature starting with H (for a very general 
treatment of Authentication Theory consult jl 1)1. 

Lemma 1. Let K, M, Y and Z be random variables (typically key, message, 
tag and public information of an authentication scheme) with joint distribution 
Pkmyz such that M is independent of K and Z but uniquely defined by Y and Z . 
Then, knowing Z , one can compute Y , consistent with K and Z with probability 

pj > . 

Also, knowing Z and Y , one can compute Y , consistent with K and Z and a 
M ^ M with probability 

PS > . 

In the context of Authentication Theory, Y describes an impersonation and Y a 
substitution attack, and pi and ps are the corresponding success probabilities. 

In the proof of Proposition QJ we apply the following Corollary, which fol- 
lows from the fact that a successful impersonation attack is also a successful 
substitution attack with probability at least 1/2, assumed that M is uniformly 
distributed among a set of cardinality at least two. 

Corollary 1. Let K, M , Y and Z be as above, except that M is required to 
be uniformly distributed among a non-trivial set. Then, knowing Z, one can 
compute Y , consistent with K and Z and a M ^ M with probability 

PS > . 

Proof of Proposition 0} Since by the privacy of the scheme the public share Yi 
is independent of S and hence H{Yi) does not depend on the distribution of S, 
we can assume Ps to be the uniform distribution. Furthermore, for symmetry 
reasons, we can focus on the public share of the player Pt+i. 

Let i G {1, . . . ,t} be arbitrary but fixed, and consider an adversary corrupting 
the first i — 1 players P\, . . . ,Pi-\ as well the player Pt+\. One of the goals 
of the adversary could be to substitute Pt+i’s public share Yt+i by a false 
share Yt+i that is consistent with the public shares Y\,...,Yt of the first t 
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players and player P^’s key Ki (and maybe even the keys iCi, . . . , but 

that leads to an incorrect secret S ^ S. Indeed, if the adversary succeeds in this 
attack, from player P^’s point of view, the t + 1 public shares hi, . . . ,ht,ht+i 
could come from honest and the t shares Yt+ 2 ,..., 1 ^ from corrupted play- 
ers. Hence, Pi clearly cannot compute the correct secret with certainty, and 
so outputs “failure” . Therefore, the success probability of this attack is at most 
S € On the other hand however, according to the above Corollary, applied 

to K = Ki, M = S, Y = Yt+i and Z = {K\, . . . , Ki-i,Y\, . , Yt), the success 
probability is at least ps > Therefore, we have 

I{Ki', Yt+i\Ki ■ ■ ■ Ki-i Yi ■ ■ - Yt) € f2{k). This holds for every i € {1, . . . ,t}, and 
hence, using the chain rule for mutual information, we get 

t 

I{Ki ■■■Kt; Yt+i\Yi ■■■Yt) = Y, Yt+i\Yi ■■■YtK^--- G C(fct) 

i=l 

and therefore H{Yt+i) > I{Ki ■ ■ ■ Kp, Ft+i|Yi ■ ■ - Yt) G Q{kt) = Q{kn). 

As ^i , . . . ,St gives no information about S, but ^i , . . . , St, ht+i determines 
S, we also have H(Yt+i) > H{S), and hence H{Yt+i) G ^2{H{S) + kn). □ 

In Appendix lEI we illustrate the power of rushing by giving an example 
of a concrete scheme secure against a non-rushing adversary, that beats the 
lower bound, and sketch a tight lower bound result. We also briefly discuss the 
minimal complexity of the distribution phase of schemes secure against a rushing 
adversary. 



5 Tightness of the Lower Bound 

We first describe a very natural, generic construction of a Single-Round Honest- 
Dealer VSS and then present a particular instantiation that meets the lower 
bound from the previous section. Rabin and Ben-Or m first considered a solu- 
tion of this type. The scheme below differs from theirs only in the choice of the 
authentication code (which, however, will be relevant later on). 

Let a (t -I- 1, n)-threshold secret-sharing scheme be given as well as an au- 
thentication scheme, e.g. based on a family of strongly universal hash func- 
tions {hK,}n^)c (see e.g. ^). To share a secret s, the dealer D generates shares 
s\, . . . ,Sn according to the secret sharing scheme, and, for each pair of players 
Pi, Pj, he selects a random authentication key Kij G /C which will be sent to Pj 
who will later use it to verify a share contributed by P^. Then D computes for 
each share Si and for each Pj the authentication tag ytj = h,^.^(si) that should 
be revealed by Pi at reconstruction time to convince Pj that P^’s share Si is 
valid. D then simply sends shares, tags and keys privately to the players who 
own them. To reconstruct, every player broadcasts his share together with the 
tags (or, alternatively, sends to every player his share and the corresponding 
tag), and verifies the authenticity of the received shares using his keys. 

We use Shamir’s secret sharing scheme uni over a held F with \F\ > n, and 
the well-known family of hash functions h(^a,j 3 ){X) = aX + (3 defined over F. The 
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success probability of a substitution attack of the corresponding authentication 
scheme is It follows that the probability of player Pi accepting a false 

share from another player is 1/|-F|, and hence the probability of player Pi not 
reconstructing the correct secret is at most t/\F\. By comparing all the accepted 
shares with the reconstructed sharing polynomial and outputting “failure” in 
case of inconsistencies, he makes sure not to output an incorrect secret. Hence, 
choosing F such that |i^| is in 2®^^) (assuming n to be at most polynomial in k), 
we have the following upper bound, already achieved in m- 

Theorem 2. For t = [(n — 1)/2J, there exists a Single-Round Honest-Dealer 
VSS scheme, {t,n, l — secure against an adaptive and rushing adversary, 

with a total communication complexity of 0{kn^) bits. 

A remark concerning the authentication code. The choice of the code is not 
completely arbitrary, since it is important for our later purposes that compu- 
tation of tags has low arithmetic complexity (here one multiplication and one 
addition over F) and that the tags are linear ii a is fixed, as shown in Section f7.1 1 

6 Upper Bound in the Presence of a Corrupted Dealer 

In this section, we present a VSS scheme with a one-round reconstruction, where 
the complexity of the distribution phase matches that of the previous best known 
VSS for our scenario P], but where the reconstruction phase meets our lower 
bound up to a constant factor. This is at least a factor of n better than previous 
VSS protocols. 

6.1 Definition 

Since now the dealer might be corrupt as well and so the distribution of the 
secret takes the form of an interactive protocol, the adversary can not only 
intrude faults in the reconstruction, but also in the distribution. Therefore, our 
definition operates with two error probabilities, which for a concrete scheme do 
not have to be equal: first the probability that the distribution fails to work as 
supposed, and second the probability that the reconstruction fails, even though 
the distribution succeeded. 

Assume an active adversary that corrupts at most t of the n players plus 
the dealer (respectively, including the dealer, in case he is one of the players). 
Additionally, the adversary can be static or adaptive, and rushing or non-rushing. 
Consider a scheme with an arbitrary distribution phase resulting in every player 
Pi holding a key ki and a public share yi and with a one-round reconstruction 
phase as in the honest dealer case. We call such a scheme {t, n, 1 — /?, l — 5)-secure 
if, except with probability (d (taken over the coin flips during the distribution), 
the following holds. 

Privacy: As long as the dealer remains honest, the adversary gains no infor- 
mation about the shared secret s as a result of the distribution phase. 
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(1 — S)-Correctness: Once all currently uncorrupted players complete the dis- 
tribution phase, there exists a fixed value s' such that in the reconstruction 
phase each uncorrupted player outputs either s' or “failure” , where for every 
player the latter happens with probability at most 5 < 1, independent of s' . 
If the dealer remains uncorrupted during the distribution, then s' = s. 

In the special case that the adversary introduces only crash-faults or remains 
passive, all honest players recover s' with probability 1. 

Again, existing VSS schemes essentially fulfill our stronger definition, in parti- 
cular the most efficient solution known, Pj , fulfills it without any changes in the 
required communication, while the [ 12 ! protocol requires some straightforward 
modifications. 

6.2 Towards VSS with Optimized Reconstruction 

The security of the scheme from the last section evidently completely breaks 
down in case the dealer is corrupted. In the distribution phase, he could hand 
out inconsistent shares and inconsistent authentication tags, and, in the recon- 
struction phase, since he knows all the keys, he could compute correct tags for 
false shares. This would allow him to disrupt the reconstruction and even to 
actually cause different secrets to be reconstructed (see the analysis in ^ of 
WSS from ^2]). To remedy this, we have to ensure that the players that re- 
main honest receive consistent shares, and that they accept each others shares 
at reconstruction, while rejecting false shares. Of course, as mentioned in the 
introduction, this could in principal be achieved by replacing the dealer of the 
Honest-Dealer VSS by a general MFC. This, however, would result in a rather 
inefficient distribution phase. Also the following approach seems to be no satis- 
factory solution because of the same reason. We force the dealer to distribute 
consistent shares si, . . . , s„ by doing a “two-dimensional sharing” as in |2| or ^ 
and then every tag yij for a share Si is computed in a multi-party fashion, such 
that it is guaranteed to be correct and the corresponding key is only known to 
the verifier Pj. Again, doing general MFC would result in a rather inefficient 
distribution phase; however, the following points provide some intuition as to 
why the full generality of MFC protocols is not needed, and instead we can do 
a specialized MFC. 

1. A “two-dimensional sharing” from |2| or P] not only ensures that the un- 
corrupted players hold consistent shares, but also that every share Si is 
again correctly shared. Hence, one input to the MFC, Si, is already cor- 
rectly shared. 

2. We only have to guarantee that a tag is computed correctly, if the player 
who will later verify it is honest at distribution time. At reconstruction, a 
corrupted player can always claim a tag to be invalid, even if it were good. 
For this reason, full VSS of the authentication key will not be necessary. 

3. The function to be computed uses only one multiplication and one addition. 
This will allow us to do the distributed multiplication locally, i.e. no re- 
sharing as in |B| will be needed. 
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6.3 The CDDHR VSS Sharing Protocol 

To describe the sharing protocol from P], we start by reviewing the concept of 
Information Checking (IC), introduced in P2|- In essence, an IC scheme provides 
unconditionally secure “signatures” with limited transferability. More concretely, 
it allows a sender S to provide a transmitter T (also called intermediary) with 
a message m and a “signature” ct, such that T can later pass (m, a) on to 
a recipient R, claiming that m originates with S. The signature a enables R 
to verify this. We use the notation am{S,T\ R) to refer to such a signature. 
Although in reality the “signing” procedure is an interactive protocol involving 
all three players and using a broadcast channel, we abuse language slightly and 
simply say that S “sends the signature am{S,T; R) to T”. IC must fulfill the 
following requirements, except with some small error probability. If T and R 
are uncorrupted, then R indeed accepts T’s message m {consistency). If, on the 
other hand, S and R are uncorrupted, then R rejects any message m' ^ m 
{correctness). Finally, if S and T are uncorrupted, then R gets no information 
on m before T passes {m, a) on to him {secrecy). It is easy to extend this concept 
and the corresponding protocols to multiple recipients, say i?i, . . . , R„, by simply 
executing the single recipient protocol for each possible recipient. We then use the 
notation Um{S,T) = {am{S,T; Ri), . . . ,am{S,T; Rn)). For a formal definition 
and technical details, please refer to [1 ‘2l4j . 

Please recall that the IC-signatures from Pj over a field F have the following 
linearity properties. If T holds two signatures a-m{S,T; R) and Um'{S,T-, R) and 
if A is known to R and T, then T can compute a signature am+m'{S,T; R) 
for m + m' and a signature a\m{S,T; R) for Am. This holds analogously in 
the multi-recipient case. As to efficiency, generating a signature Um{S,T\ R) 
costs 0(log|F|) bits of communication, generating a signature am{S,T) with 
n recipients costs 0(nlog |F|) bits of communication. Furthermore, the secrecy 
condition holds perfectly while correctness and consistency hold with probability 
1 — for a single-recipient and 1 — 2 “ for a multi-recipient 

signature. 

We present the VSS sharing protocol from which we will call Pre Share, in 
a slightly modified version. Namely, for ease of exposition, we use a symmetrical 
polynomial and we omit the signatures made by the dealer (since these are 
needed only to catch a corrupted dealer early on) . 

Protocol Pre Share 

1. To share a secret s G F, the dealer chooses a random symmetrical bivari- 
ate polynomial / of degree at most t in both variables with s as constant 
coefficient, i.e. /(O, 0) = s. 

2. To every player Pi, the dealer privately sends the actual share Si = f{i,0) 
and the sharing sn = f{i, 1), . . . , Sin = f{i, n) of s^. 0 

® In the descriptions of all the protocols, whenever a player expects to receive a message 
from another player, but no message arrives or it is not in the right format, he takes 
some fixed default value as received message. 
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3. For every two players Pi and Pj, the following is done. Pi sends Sy together 
with a signature tJsy {Pi, Pj) = (cts^ {Pi, Pf,Pi),..., CTsy {Pi, Pf, P„)) to Pj. 
If Sij yf Sji, then Pj broadcasts a complaint, to which the dealer has to 
answer by broadcasting Sji. If this value does not coincide with Pj’s Sji, 
then Pj accuses the dealer publicly who then has to broadcast Pj’s share Sj 
and subshares Sji, . . . , Sjn- u 

4. If at some point, the broadcast information is inconsistent, the players take 
some publicly known default sharing. 

This protocol stands as a VSS sharing protocol on its own (but with “expensive” 
reconstruction, as argued earlier) . The proof of this fact is based on the following 
observations. Please refer to 0 or the appendix. 

Proposition 2. After the execution o/Pre Share, every honest Pi holds a share 
Si and signed sub-shares sn . . . Sin such that 

1. If the dealer remains honest, then the adversary has no information about 
the secret s. 

2. The sub-shares sn . . . Sin of any honest player Pi are a correct sharing of Si, 
and Sij = Sji holds for all Pi and Pj who remain honest. 

3. The shares Si of the honest players are correct shares of a unique value s' , 
which is the secret s if the dealer remains honest. 

4-. For any (honest or dishonest) player Pj, the sub-shares Sij of the honest 
players Pi are correct shares of Pj’s share Sj, which is well defined by the 
shares Si of the honest players. 

The communication complexity of this Pre Share protocol is 0(n^ log IT’D bits, 
the dealer essentially distributes sub-shares and each of these sub-shares is 
signed, where signing costs 0(n log IT’D bits of communication per signature. 

6.4 Computing Tags by a Specialized MPC 

Consider now a fixed player Pi after the execution of Pre Share, holding his share 
Si and the corresponding sub-shares sn, . . . , Sm with signatures as^ {Pi, Pi), . ■ . , 
{Pn, Pi)- We now want to compute authentication tags yij = Oy • Si -\- [3ij for 
Si as they are computed by the dealer in the Honest-Dealer VSS protocol, but 
without letting the dealer know the keys, {uij,Pij) should only be known to Pj. 

At the heart, there is the following problem. A player P wants to compute 
the tag 2 / = a • TO -I- /3 for his secret message to with respect to a player V’s secret 
key a,p. As already mentioned earlier, this will be done by a specialised MPC. 

We assume that P’s message to is already correctly shared by shares TOi , . . . , 
TO„ and that P holds signatures ami {PhP'i i {Pn, P', V), verifiable by 

V . If the protocol Pre Share from the previous section has been executed, and if 
P’s message to stands for Pfs share Si, then this is fulfilled with TOt, = Sik and 
amdPk.P; V ) = asAPk,Pi-,Pj)- 

Of course, broadcast values do not have to be signed anymore; however, for simpler 
notation, we assume that also broadcast sub-shares Sij are signed by asij{Pi,Pj). 
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Protocol MPAuth 

1. V chooses a random polynomial fa of degree at most t with /a(0) = a and 

a random polynomial of degree at most 2t with //3(0) = j3. For every 
player V sends the shares = fa{k) and j3k = fis{k) to Pk together 
with signatures (Jak{V,Pk]P) and Pk] P), verifiable by P. 

2. Every player Pk, having received the shares ak and fik with the corresponding 
signatures and holding the share rrik of m, computes Uk = <^k ■ TUk + Pk and, 
using the linearity property of the signatures, the corresponding signature 
ay,(V,Pk-,P)E and passes yk and ay,.{V,Pk;P) on to P, who verifies the 
signature (see point 01 in Section li.2ll . 

3. If P receives all the yk and all the signatures are good, then he can recon- 
struct y by interpolation, i.e. by computing a polynomial fy of degree at 
most 2t with fy{k) = yk for all Pk and computing y = fy{0). 

If some signature Uy,,{V, Pk', P) is not correct, then before computing y as 
above, P passes nik and <Jmk{Pk, P',V) on to V, who verifies the signature 
and in case of a good signature returns yk = ctk ■ riik + Pk to P (see point 0 
in Section O for the case V refuses). 

Proposition 3. Under the assumptions stated before the protocol, the following 
holds except with probability 

1. If P and V remain honest during the execution, then y = a ■ m + p. 

2. If P remains honest, then the adversary learns nothing about m. 

3. If V remains honest, then the adversary learns nothing about a. 

Hence, the tag y can be thought of being computed by some honest player. 

Proof. We will prove 1., 2. and 3. under the assumption that the security prop- 
erties of the signatures hold without error probability; this proves the claim. 

1. Let fm be the polynomial of degree at most t with fm{k) = and hence 
/m(0) = m. The n shares yk = otk ■ nik + Pk define a unique polynomial fy 
of degree at most 2t with fy{k) = yk and /y(0) = y = a ■ m + P, namely 
fy = fa' fm + f/ 3 - So, if all n players Pk behave and send yk with the correct 
signature to P, then P can compute fy and hence y. If on the other hand 
some corrupted player Pk misbehaves and sends an incorrect yk to P (or an 
incorrect signature or nothing at all), then P recognizes this and gets the 
correct yk from V. Hence, even in this case P gets all the correct yk and can 
therefore reconstruct y. 

2. We assume wlog that V is corrupted. If all the corrupted players Pk follow 
the protocol, then the adversary definitely gets no information at all. If 
some corrupted player Pk misbehaves (e.g. by sending a bad yk), then the 
adversary only learns ruk, which he already knows. 

3. We assume that P is corrupted. Note that the adversary does not learn any- 
thing new by asking V for a yk in step 3., since the correct value rrik must be 
sent to V (otherwise V would not accept the signature and return nothing) . 

Note that mu is known to both Pk and P. 
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We have to show that the adversary’s view of this protocol gives no infor- 
mation about a. The adversary’s view, excluding the signatures, consists 
of TO, TOi, . . . , TO„, yi, . . . ,Un and ak and j3k for G A, where A is the 
set of corrupted players, with yu = otk ■ 'mk + /3fe- Consider the polynomial 
da{X) = Y\p^^^{k—X) jk of degree t and the polynomial d/s = —da-fm of de- 
gree at most 2t. Note that da{0) = 1 and d^(0) = —to and da{k) = 0 = dp{k) 
for all Pk in A. This implies that if /« and fy are the sharing polyno- 
mials for a and /3, then for any a' , (3' with a' ■ rn + j3' = y, the poly- 
nomials fa’ = fa + (a' — a)da and fy’ = fy + {a' — a)dy are sharing 
polynomials for a' and /3', consistent with the adversary’s view. Note that 
//3'(0) = P — (o' — a)m = y — a' ■ m = P' . Since fa and are randomly 
chosen with /c(0) = a and fyiO) = /3, the adversary’s view of the protocol, 
excluded the signatures, is independent of a. This together with the secrecy 
property of the signatures proves the claim. □ 

The communication complexity of one execution of MP Auth is 0(nlog |F|) bits. 
Namely, V essentially shares a and p. Note that the signatures involved are 
signatures verifiable by one player, hence they only cost 0(log IT’D bits of com- 
munication. 



6.5 The VSS Protocol 

The VSS sharing protocol that meets the lower bound of Theorem ^ now works 
as follows. First, Pre Share is applied to the secret and then, by applying MP Auth 
to the shares, the sub-shares and signatures are stripped off and replaced by tags 
for the actual shares: 

Protocol Share 

1. The above protocol Pre Share is executed on the secret s. As a result, every 
player Pi holds a share Sj, sub-shares s^i, . . . , Sin and signatures crs.j(Pi, P^), 

• ■ • ; ^Siji (Cyi: Pi) ■ 

2. For every player P;, tags yn,---,yin for Si are computed by executing 
MPAuth with every player Pj on the message Si and Pj’s randomly cho- 
sen key (aij,Pij). 

Note that all the sub-shares Sij and signatures as^^iPj, Pp are only temporarily 
used and can be deleted at the end of the protocol. For the reconstruction, as in 
the honest-dealer case, only the shares, the tags and the keys are needed. 

Theorem 3. For t = [(n — 1)/2J, there exists a Verifiable Secret Sharing 
scheme, {t, n,l — 1 — 2~^^^p-secure against an adaptive and rushing ad- 

versary, with a sharing complexity of 0{knp and a single-round reconstruction 
of complexity 0{knp. 

Proof sketch: We can take the above scheme over a field F with |P| € 
Secrecy and correctness follow from Propositions O and El The communication 
complexity of the Pre Share protocol is O(fcn^), of the MPAuth protocol it is 
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0(kn). Therefore, the communication complexity of the sharing protocol, which 
calls Pre Share once and MP Auth n^-times, is 0{kv?). The communication com- 
plexity of the reconstruction is as in the Honest-Dealer VSS 0{kn?) bits. □ 

7 Applications to MPC with Pre-processing 

As an application of the above described VSS scheme, we will now present a 
general MPC protocol in the pre-processing model jj. Our protocol is secure 
against an active, adaptive adversary who can corrupt up to t = [(n — 1)/2J, a 
minority, of the players. The idea behind MPC with pre-processing, introduced 
by Beaver is to do as much work as possible in a pre-processing phase, before 
the inputs and even the circuit H are known. This is to reduce the work and the 
assumptions on the communication network required in the computation phase 
when the inputs and circuit have actually become available. 

This is based on circuit randomization and a generic construction that can be 
applied to any general MPC protocol based on a VSS with certain linearity prop- 
erties explained below. The computation phase doesn’t require secure channels, 
it only consists of broadcasting information and performing the local computa- 
tions necessary for VSS reconstructions. It should therefore be clear that MPC 
in the pre-processing model benefits from VSS with optimized reconstruction. 

The required linearity properties are as follows. If s and s' are two VSS’ed 
secrets and A a public constant, then the players should be able to locally com- 
pute VSS shares of s -I- s' and A • s (if this is the case then the scheme is called 
homomorphic) and of s -I- A. Before showing that our VSS has these properties, 
we sketch the protocol for general MPC with pre-processing. Assume that ad- 
equate upperbounds on the number of inputs and multiplication gates in the 
future circuit are known. In the pre-processing phase, each player chooses a 
sufficient number of independent random values a and VSS’es them. Next, the 
players jointly prepare a sufficient number of random triples r, r' and r" such 
that r" = rr' and such that each of these values is VSS’ed. Note that mutual 
randomness is easily achieved by having players VSS random values, and tak- 
ing the sum of those as a mutually random value. By the linearity property, 
this random value is effectively VSS’ed. By invoking the general MPC protocol, 
products can be securely computed with the result VSS’ed. 

In the computation phase, inputs and circuit are known. Assume for simplicity 
that each player has a single private input value. Each player then takes his 
actual private input s, and simply broadcasts the difference e = a — s between 
this input s and the random value a he VSS’ed in the pre-processing phase. 
Subsequently, all players locally compute their shares in s from the shares in 
a they hold and the now public value e. In the computation phase, the addi- 
tion gates are handled locally while to multiply two shared values s and s', a 
fresh precomputed random triple (r, r',r") is taken, the differences 6 = s — r 
and 6' = s' — r' are revealed by invoking the reconstruction of VSS. Since 



Usually, the function that is to be securely computed is given as an arithmetic circuit 
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ss' = (r + S){r' + 6') = rr' + 6'r + Sr' + 55' = r" + 5'r + 5r' + 55', every 
player Pi can locally compute a share of ss' from the shares of r, r' and r" and 
the values 5 and 5' . Note that linearity of the VSS facilitates all of these steps. 



7.1 Applying Our VSS to MPC with Pre-processing 

We first argue that our VSS can be made to have the required linearity proper- 
ties. Note that Shamir shares trivially possess these properties, so it suffices to 
focus on the authentication code. As mentioned in Sectional the only thing we 
need to do is to fix throughout the computation the values a that are part of the 
verification keys (a, /?). Indeed, if y and y' are authentication tags for m and m' 
with keys (a,/3) and (a,/3'), respectively, then for every A G F, A • y -I- y' is an 
authentication tag for the message X ■ m + m' with key (a, X ■ P + P'). Namely, 
a - (X-m + m') + {X- P + P') = X - {a- m + P) + {a- m' + P') = X-y + y' . Analogue, 
it can be shown that y is an authentication tag for the message m -I- A with key 
{a, P — a • A). Furthermore, it is not difficult to see by induction that after I 
authentications and verifications with the same a, the substitution probability 
still is 1/{\F\ — / -I- 1) (see e.g. 0). 

For a field F with |F| G the protocol now works as follows. In the pre- 

processing phase, the random input values a are treated just as above, based 
on our VSS. In order to prepare the random triples, we use the general MPC 
techniques of ^ to prepare triples r, r' and r" with r" = rr' as described 
earlier. This results in a VSS of these values according to P| (i.e., according 
to the protocol Pre Share from Section fti..S^ . We can convert these to sharings 
as they would have been produced by our VSS, we simply apply the protocol 
MP Auth (see SectionEJ to get shares according to Share. Hence, all necessary pre- 
processing information will be shared according to our VSS. The computation 
phase can now proceed based on the reconstruction phase of our VSS. 

As to efficiency, generating the sharings of r and r' consists essentially of 
0{n) executions of Pre Share, and thus this has complexity 0{krP) bits. The 
computation of the sharing of r" costs according to 0 0{krP) bits of com- 
munication, assuming everyone coorperates. Multi-party computing the tags is 
negligible compared to the rest, namely 0{krP). Hence, we have a best case com- 
plexity of 0{krP). If a corrupted player refuses to coorperate, then the easiest 
thing to do is to exclude the player and restart the computation. This will allow 
the adversary to slow down the computation by at most a factor linear in n. Q 
Hence we have 

Theorem 4. Let C he an arithmetic circuit over a field F with M multiplication 
gates, where |F| G Communicating O(Mkn^) bits in a pre-processing 

phase, there exists a MPC protocol, secure, except with probability 
against a rushing adversary who can adaptively corrupt up to t = [(n — 1)/2J of 
the players, computing the circuit C with 0{Mkn^) bits of comunication. 

^ Instead of restarting, one could also reconstruct the share(s) of the caught cheater, 
if needed. This way, the adversary cannot slow down the computation substantially, 
resulting in a pre-processing complexity of O(Mfcn^) instead of O(Mkn^). 
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The most efficient previously known protocol for MFC with pre-processing in 
our model is based on ^ . Note that this would result in a pre-processing phase 
with complexity of the same order as in our case. However, due to VSS with 
optimized reconstruction, we gain an efficiency improvement of a multiplicative 
factor n in the computation phase of our protocol. 
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A Communication Pattern from Section m Justification 

When justifying the claim that the proposed communication pattern is most 
general, it should be kept in mind that we are interested in the complexity of 
the reconstruction phase, and that all “re-modeling” operations are allowed as 
long as they do not affect the complexity of reconstruction (apart from constant 
factors) . 

By the assumption that the dealer is honest, we may assume without loss of 
generality that the distribution phase only consists of the dealer sending private 
information Si to each of the players Pi, i.e., any secure distributed computation 
carried out by the players in the distribution phase could as well be carried out by 
the honest dealer, without consequences to the complexity of the reconstruction 
phase. Similarly, we may assume that in the reconstruction phase each player Pi 
merely broadcasts a piece of information, j/j, that only depends on the private 
information Si received from the dealer. Namely, at the cost of at most a constant 
factor of increased communication, private channels can be simulated by one- 
time pads, the keys of which are distributed by the honest dealer. In fact, it can be 
assumed that in general Si = {ki, yi), where yi is required to be broadcast in the 
reconstruction phase, and each player Pi makes a local (possibly probabilistic) 
decision on the secret s based on the broadcast information and his private ki. 

B Impossibility Lemmas from Section |H1 

Lemma 2. There exists a static, non-rushing adversary such that with non-zero 
probability some honest players output “failure” in the reconstruction phase. 

Proof. Given that t > n/3, let B,Aq,Ai be an arbitrary disjoint partition of 
n} such that \B\ = t and 1 < |JoU^i| < t- We show a strategy for 
the adversary that forces all players in B to output “failure” with non-zero 
probability. The adversary corrupts the players in Aq, selects a random secret s 
and randomly guesses the shares Si = (ki,yi) held by the players in B. By the 
privacy of the scheme and assuming that he guessed the shares correctly and that 
s fy s (which both happens with non-zero probability), he can sample random 
shares Sj for the corrupted players, so that these, together with the shares of the 
players in B, are consistent with the secret s, and have the same distribution 
as when sent by the honest dealer. It is now clear that in the reconstruction 
phase (assumed that the adversary guessed the shares correctly and that s fy 
s), every player in B has to output “failure”. Indeed, the players in B must 
definitely not output the incorrect secret s. On the other hand, if some player in 
B outputs the correct secret s (with positive probability), then by corrupting the 
players in Ai instead of Ag, but otherwise playing the corresponding game, the 
adversary creates the same view for the players in B, however with the correct 
and the incorrect secrets exchanged, and hence this player would now output 
the incorrect secret (with positive probability), which is a contradiction. □ 
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Lemma 3. There exists a static, rushing adversary such that such that with 
non-zero probability some honest player recovers the secret in the reconstruction 
phase, while some other honest player outputs “failure”. 

Proof. Consider the case t > n/3. Let B, Aq, Ai be an arbitrary disjoint partition 
of {1, . . . ,n} such that 1 < |^o| ^t—1 and 1 < |Ai| < t. Note that 2 < |i?| < t. 
Let p, q be distinct members of B. We consider the same adversary as before, 
except that in the reconstruction phase, the adversary “rushes” , and waits until 
the players in B have broadcast their yfs. He then makes a guess for player p’s 
private kp, and broadcasts random yj’s for the players, consistent with kp and 
with the Pi’s of the players in B and a random secret different from the correct 
one (which he knows by now). For similar reasons as before we conclude that 
player p does not reconstruct the secret if the guess for kp was correct. However, 
in that case player q must reconstruct the secret with positive probability: for 
if not, corrupting Aq and player p (note that this amounts to at most t cor- 
ruptions), the adversary would not have to guess kp anymore, and hence there 
would be a strategy that makes at least one honest player output “failure” in 
the reconstruction with probability equal to 1. This contradicts correctness. □ 

C Non-maximal t 

In the main body of this paper, we have only considered a maximal t in the 
interesting range n/3 < t < n/2. We will now state the generalizations of the 
Theorems [DtoEIfor a (nearly) arbitrary t in this range. The corresponding proofs 
are similar but technically more involved. 

Theorem m- For any family of Single-Round Honest-Dealer VSS schemes, 
{t,n, 1 — S) -secure against an arbitrary active, rushing adversary, the following 
holds. Let k be a security parameter and let e > 0 be an arbitrary constant. If 
S = and n/3 • (1 -I- e) < t < n/2 then the total information broadcast in 

the reconstruction phase is lower bounded by L2{{nH{S) -\- kn^)/{n — 2t)). 

Note that already an arbitrarily small linear gap between t and n/2 reduces the 
lower bound by a factor of n. The following Theorem shows that the reconstruc- 
tion complexity indeed reduces by a factor of n for such a t (at least in case of 
a security parameter k slightly larger than linear in n) . 

Theorem El- For n/3 < t < nj2 and k = I7((n — 2t)log(t)), there ex- 
ists a Single-Round Honest-Dealer VSS scheme, {t,n,l — 2~^^'^'>)-secure against 
an adaptive and rushing adversary, with a total communication complexity of 
0{kn^ / {n — 2t)) bits. 

The according holds for VSS. 

Theorem 0. For n/3 < t < n/2 and k = I7((n — 2t)log(t)), there exists a 
Single-Round VSS scheme, {t, n, 1 — 1 — 2~^^^'>)-secure against an adap- 

tive and rushing adversary, with a sharing complexity of 0{kn^) and a recon- 
struction complexity of 0{kn^ /{n — 2t)). 
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Applied to MFC with preprocessing, we achieve 

Theorem il. Let C he an arithmetic circuit over a field F with M multiplica- 
tion gates, where |F| S n/3 <t< n/2 and k = I7((n — 2t)log(t)). 

Communicating O(Mkn^) bits in a pre-processing phase, there exists a MFC 
protocol, secure, except with probability against an adversary who 

can adaptively corrupt up to t of the players, computing the circuit C with 
0{Mkn^ / {n — 2f)) bits of communication. 



D General Adversaries 

We now go beyond security against a dishonest minority by sketching how to 
adjust our VSS and MFC protocols to be secure against a general Q'^ -adversary 
P], i.e. against an adversary who can corrupt any subset of players in a given 
family of subsets, where no two subsets in the family cover the full player set. 

By replacing the bivariate polynomial sharing in Pre Share by the information- 
theoretic commitment/WSS protocol from p] based on monotone span pro- 
grams m, we are in the same position as described by Froposition El except 
that 4. is not guaranteed, i.e. the share Si of a corrupted player Pi is not neces- 
sarily correctly shared by the sub-shares sji of the honest players Pj. But this 
can easily be achieved by doing another level of sharing: every player Pi shares 
his share Si with the WSS protocol from where every player Pj insists that 
the share they get of Si is the sub-share Sji. 

In the MP Auth protocol, replacing the threshold sharings of the values a and ft 
by sharings based on monotone span program sharings uni with multiplication, 
and using the fact that these can be constructed from ordinary monotone span 
programs with only constant overhead 0, Froposition 0 remains intact. 

This results in a VSS scheme secure against a general Q^-adversary. Further- 
more, the sharing and reconstruction complexities are 0{knm?) and 0{knm) 
bits, respectively, where m > n is the size of the monotone span program, while 
the respective complexities of the general adversary VSS scheme suggested in 
PJ are both 0{knm^) bits (even though one could achieve 0{knmf) using their 
techniques in a more elaborate way). 

Based on this general adversary VSS scheme, similar to the previous sec- 
tion, one can achieve a general MFC protocol, secure against a general ad- 
versary, which in the pre-processing model has a communication complexity 
of 0{Mknm) bits, compared to 0{Mknm^) (respectively 0{Mknwf)), which 
would be achieved by the general adversary MFC protocol from Pj. 

E The Power of Rushing (Honest Dealer Case) 

We show that our tight lower bound from SectionPjdoes not hold if the adversary 
does not rush, and instead selects the corrupted shares he will broadcast in 
the reconstruction phase before it has started. We also sketch a lower bound 
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and outline some applications, namely to a scenario in which the amount of 
information sent in the distribution phase is to be minimized. 

Let F be a finite field with |F| > n, and take Shamir’s {t + 1, n)-threshold 
scheme defined over F. Cabello, Padro and Saez [Zj have proposed the following 
so-called robust secret sharing scheme. To share a secret s in this scheme, the 
honest dealer selects a random field element p, independently generates full sets 
of Shamir-shares for the secrets s, p and p- s, and privately distributes the shares 
to the players. 

Given a set A of at least t + 1 shares (which possibly contains corrupted 
shares), consider the three values s', p' and r' that are computed by applying 
the reconstruction procedure of Shamir’s scheme to the shares in A. The crucial 
observation is that if s yf s' and if the corrupted shares are independently dis- 
tributed from p, the probability that s' ■ p' = t' is at most 1/|F|. Hence, given for 
instance a trusted party available for reconstruction, connected with each player 
by an independent private channel, the independence requirement is satisfied 
and although the secret may not always be reconstructed from a qualified set, a 
corrupted secret is detected with high probability. 

We note the following application of this scheme in our scenario of a non- 
rushing adversary. By assumption, this is an adversary who chooses the cor- 
rupted shares before the reconstruction phase. This ensures that the indepen- 
dence requirement stated before is satisfied. Let fc be a security parameter and 
t < n/2 and assume additionally that |F| > Let the distribution phase be 
according to the scheme of 0- Consider an arbitrary set Aoit-\-l shares revealed 
in the reconstruction phase. If A consists exclusively of shares of honest players, 
then the secret reconstructed by the procedure above would certainly be the 
correct secret s. Else, either a failure would be detected, or with probability at 
most 2“"“^, a secret s is accepted based on the shares in A. Let V denote 
the set of all distinct accepted “secrets” s^, by quantifying over all sets A. Note 
that s G A. Now each honest player simply computes V, and outputs “failure” if 
V has more than one element, and s otherwise. This way all honest players are 
in agreement, and the probability with which they output “failure” is clearly at 
most 2'' • 2-”-'= = 2"'=. 

For the case that k > n and n = 2t -|- 1, we now sketch an argument showing 
that the distribution phase of this scheme is optimal, up to constant factors. A 
basic result in secret sharing says, informally speaking, that the size of individual 
shares is at least the size of the secret, and hence the question that remains is 
whether the error probability e of the above scheme is optimal. We define an 
adversary who flips a random coin and either corrupts the first t players, or the 
last t players. In either case, he makes a random guess for the share St+i 
that player Pt+i received from the honest dealer in the distribution phase, deletes 
the correct shares received from the dealer by the corrupted players, and instead 
chooses random corrupted shares, consistent with his guess and with a 

random secret s. Assuming that the correct secret s was chosen at random by 
the honest dealer, if the adversaries’ guess for player Pt+i’s share is correct, then 
there is no way for any reconstruction procedure to distinguish between s and 
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s. Hence, in order for log 1/e to be 0(fc), the size of each individual share must 
be f2{k). 

Although it is generally not very realistic to assume that the adversary is 
not rushing, it is possible to construct a “simultaneous broadcast” channel on 
top of the “secure channels with broadcast model”. Namely, simply have each 
player first VSS their values, e.g. by using the schemes of nan, after which all 
VSS’s are opened. Using the concrete scheme above, this procedure would ensure 
that shares are “broadcast simultaneously”, and hence that the required inde- 
pendence is achieved, at the cost of increased complexity of the reconstruction 
phase and use of private channels in that phase. The advantage, however, is that 
the efficiency of the distribution phase has been substantially improved. 



F Proof of Proposition El 

1. First note that the adversary does not gain any new information by making 
players complain. Let A be the set of players who have been corrupted during 
the execution of Pre Share. The existence the symmetrical polynomial 
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of degree t, with d(0,0) = 1 and d{i, •) = d{-,i) = 0 for all Pi G A, implies 
that for every s' G F, the number of bivariate symmetrical polynomials of 
degree at most t with s' as constant coefficient and consistent with the adver- 
sary’s view is the same. Therefore, as / is chosen at random, the shares and 
sub-shares of the corrupted players give no information about the secret s. 
The claim now follows from the secrecy property of the signatures. 

2. If this was not the case, then there would have been complaining. 

3. Let the set A consist of f -I- 1 honest players. Their shares define a unique 
secret s' . Let now A' consist of the players in A and a further honest 
player (if there are only t + 1 honest players, then we are finished any- 
way). Let Xi, i G A, be the reconstruction coefficients for the players in 
A and A', i G A', for the players in A'. So we have s' = 

(according to 2.) Sk = = J2jeA ' for all k G A'. It fol- 

lows that J2k^A' ^'k^k = ^k&A' ^'k J2i^A ^i^ki — J2i^A J2k^A' ^'k^ki = 
'l2ieA 'l2keA' K^ik = J2ieA hence the shares of the players in 

A' are still consistent. Inductively, it follows that the shares of all honest 
players are consistent and define a unique secret s'. 

4. Can be shown with a similar argumentation as above using the fact that 

every share sj can be written as a fix linear combination p^kSk of the 
shares of the honest players P^. □ 
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Abstract. Broadcast protocols are a fundamental building block for im- 
plementing replication in fault-tolerant distributed systems. This paper 
addresses secure service replication in an asynchronous environment with 
a static set of servers, where a malicious adversary may corrupt up to a 
threshold of servers and controls the network. We develop a formal model 
using concepts from modern cryptography, give modular definitions for 
several broadcast problems, including reliable, atomic, and secure causal 
broadcast, and present protocols implementing them. Reliable broad- 
cast is a basic primitive, also known as the Byzantine generals problem, 
providing agreement on a delivered message. Atomic broadcast imposes 
additionally a total order on all delivered messages. We present a ran- 
domized atomic broadcast protocol based on a new, efficient multi-valued 
asynchronous Byzantine agreement primitive with an external validity 
condition. Apparently, no such efficient asynchronous atomic broadcast 
protocol maintaining liveness and safety in the Byzantine model has 
appeared previously in the literature. Secure causal broadcast extends 
atomic broadcast by encryption to guarantee a causal order among the 
delivered messages. Our protocols use threshold cryptography for signa- 
tures, encryption, and coin-tossing. 



1 Introduction 

Broadcast protocols are a fundamental building block for fault-tolerant dis- 
tributed systems. A group of servers can offer some service in a fault-tolerant 
way by using the state machine replication technique, which will mask the fail- 
ure of any individual server or a fraction of them. In the model with Byzantine 
faults considered here, faulty servers may exhibit arbitrary behavior or even be 
controlled by an adversary. 
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In this paper, we present a modular approach for building robust broadcast 
protocols that provide reliability (all servers deliver the same messages), atom- 
icity (a total order on the delivered messages), and secure causality (a notion 
that ensures no dishonest server sees a message before it is scheduled by the sys- 
tem). An important building block is a new protocol for multi-valued Byzantine 
agreement with “external validation.” Our focus is on methods for distributing 
secure, trusted services on the Internet with the goal of increasing their avail- 
ability and security. Cryptographic operations are exploited to a greater extent 
than previously for such protocols because we consider them to be relatively 
cheap, in particular compared to the message latency on the Internet. 

We do not make any timing assumptions and work in a purely asynchronous 
model with a static set of servers and no probabilistic assumptions about mes- 
sage delays. Our protocols rely on a trusted dealer that is used once to set up 
the system, but they do not use any additional external constructs later (such 
as failure detectors or stability mechanisms). We view this as the standard cryp- 
tographic model for a distributed system with Byzantine faults. These choices 
maintain the safety of the service even if the network is temporarily disrupted. 
This model also avoids the problem of having to assume synchrony properties 
and to fix timeout values for a network that is controlled by an adversary; such 
choices are difficult to justify if safety and also security depend on them. 

Despite the practical appeal of the asynchronous model, not much research 
has concentrated on developing efficient asynchronous protocols or implementing 
practical systems that need consensus or Byzantine agreement. Often, developers 
of distributed systems avoid the approach because of the result of Fischer, Lynch, 
and Paterson jO], which shows that consensus is not reachable by protocols that 
use an a priori bounded number of steps, even with crash failures only. But the 
implications of this result should not be overemphasized. In particular, there are 
randomized solutions that use only a constant expected number of asynchronous 
“rounds” to reach agreement iEIZEl- Moreover, by employing modern, efficient 
cryptographic techniques and by resorting to the random oracle model, this 
approach has recently been extended to a practical yet provably secure protocol 
for cryptographic Byzantine agreement that withstands the maximal possible 
corruption |^. 

Two basic broadcast protocols are reliable broadcast (following Bracha and 
Toueg ^), which ensures that all servers deliver the same messages, and a varia- 
tion of it that we call consistent broadcast, which only provides agreement among 
the actually delivered messages. The consistent broadcast primitive used here is 
particularly useful in connection with a verifiability property for the delivered 
messages, which ensures that a party can transfer a “proof of delivery” to another 
party in a single flow. 

The efficient randomized agreement protocols mentioned before work only 
for binary decisions (or for decisions on values from small sets) . In order to build 
distributed secure applications, this is not sufficient. One also needs agreement 
on values from large sets, in particular for ordering multiple messages. We pro- 
pose a new multi-valued Byzantine agreement protocol with an external validity 



526 



C. Cachin et al. 



condition and show how it can be used for implementing atomic broadcast. Ex- 
ternal validity ensures that the decision value is acceptable to the particular 
application that requests agreement; this corrects a drawback of earlier agree- 
ment protocols for multi-valued agreement, which could decide on illegal values. 
Both protocols use digital signatures and additional cryptographic techniques. 

The multi-valued Byzantine agreement protocol invokes only a constant ex- 
pected number of binary Byzantine agreement sub-protocols on average and 
achieves this by using a cryptographic common coin protocol in a novel way. It 
withstands the maximal possible corruption of up to one third of the parties and 
has expected quadratic message complexity (in the number of parties), which is 
essentially optimal. 

Our atomic broadcast protocol guarantees that a message from an honest 
party cannot be delayed arbitrarily by an adversary as soon as a minimum 
number of honest parties are aware of that message. The protocol invokes one 
multi-valued Byzantine agreement per batch of payload messages that is deliv- 
ered. An analogous reduction of atomic broadcast to consensus in the crash-fault 
model has been described by Chandra and Toueg |B|, but it cannot be directly 
transferred to the Byzantine setting. 

We also define and implement a variation of atomic broadcast called secure 
eausal atomic broadcast. This is a robust atomic broadcast protocol that tolerates 
a Byzantine adversary and also provides secrecy for messages up to the moment 
at which they are guaranteed to be delivered. Thus, client requests to a trusted 
service using this broadcast remain confidential until they are answered by the 
service and the service processes the requests in a causal order. This is crucial in 
our asynchronous environment for applying the state machine replication method 
to services that involve confidential data. 

Secure causal atomic broadcast works by combining an atomic broadcast pro- 
tocol with robust threshold decryption. The notion and a heuristic protocol were 
proposed by Reiter and Birman mi, who called it “secure atomic broadcast” 
and also introduced the term “input causality” for its main property. Recent 
progress in threshold cryptography allows us to present an efficient robust pro- 
tocol together with a security proof in the random oracle model. 

In accordance with the comprehensive survey of fault-tolerant broadcasts by 
Hadzilacos and Toueg nm. we define and implement our protocols in a mod- 
ular way, with reliable and consistent broadcasts and Byzantine agreement as 
primitives. This leads to the following layered architecture: 



Secure Causal Atomic Broadcast 



Atomic Broadcast 



Multi-valued Byzantine Agreement 
Broadcast Primitives Byzantine Agreement 



Important for the presentation of our broadcast protocols is our formal model 
of a modular protocol architecture, where a number of potentially corrupted par- 
ties communicate over an insecure, asynchronous network; it uses complexity- 
theoretic concepts from modern cryptography. This makes it possible to easily 
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integrate the formal notions for encryption, signatures, and other cryptographic 
tools with distributed protocols. The model allows for quantitative statements 
about the running time and the complexity of protocols; the essence of our def- 
inition is to bound the number of steps taken by participants on behalf of a 
protocol independently from network behavior. In view of the growing impor- 
tance of cryptography for secure distributed protocols, a unified formal model 
for both is a contribution that may be of independent interest. 

Organization of the Paper. For lack of space, only the most important results are 
described in this extended abstract. It begins with a brief account of the formal 
model and definitions for binary Byzantine agreement and consistent broad- 
cast. Then it presents validated Byzantine agreement and an implementation 
for the multi-valued case, which is extended to atomic broadcast. More details, 
in particular the formal model, detailed definitions and proofs, the discussion of 
related work, and the descriptions of reliable broadcast and secure causal atomic 
broadcast, can be found in the full version 

2 Model 

2.1 Overview of the Formal Model 

Our system consists of a collection of n interactive Turing machines, of which 
t are (statically) corrupted by an adversary, modeled by an arbitrary Turing 
machine. There is a trusted dealer that has distributed some cryptographic keys 
initially, but it is not used later. Our model differs in two respects from other 
models traditionally used in distributed systems with Byzantine faults: (1) In 
order to use the proof techniques of complexity-based cryptography, our model 
is computational: all parties and the adversary are constrained to perform only 
feasible, i.e., polynomial-time, computations. This is necessary for using formal 
notions from cryptography in a meaningful way. (2) We make no assumptions 
about the network at all and leave it under complete control of the adversary. Our 
protocols work only to the extent that the adversary delivers messages faithfully. 
In short, the network is the adversary. The differences become most apparent in 
the treatment of termination, for which we use more concrete conditions that 
together imply the traditional notion of “eventual” termination. 

We define termination by bounding a statistic measuring the amount of work 
that honest, uncorrupted parties do on behalf of a protocol. In particular, we use 
the communication complexity of a protocol for this purpose, which is defined 
as the length of all protocol messages that are “associated” to the protocol 
instance. We use the term protocol message for messages that the parties send 
to each other to implement a protocol, in contrast to the payload messages that 
are the subject of the (reliable, consistent, atomic ... ) broadcasts among all 
parties. The specification of a protocol requires certain things to happen under 
the condition that all protocol messages have been delivered; thus, bounding the 
length (and also the number) of protocol messages generated by uncorrupted 
parties ensures that the protocol has actually terminated under this condition. 
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As usual in cryptography, we prove security with respect to all polynomial- 
time adversaries. Our notion of an ejjicient (deterministic) protocol requires 
that the statistic is uniformly bounded by a fixed polynomial independent of the 
adversary. We also define the corresponding notion of a probabilistically uniformly 
bounded statistic for randomized protocols; the expected running time of such 
a protocol can be derived from this. Both notions are closed under modular 
composition of protocols, which is not trivial for randomized protocols. 

Our model uses the adversary in two roles: to invoke new instances of a pro- 
tocol through input actions (as an application might do) and to deliver protocol 
messages (modeling the network). 

For simplicity, all protocol messages delivered by the adversary are assumed 
to be authenticated (implementing this is straightforward in our model) . 

2.2 Byzantine Agreement 

We give the definition of (binary) Byzantine agreement (or consensus in the 
crash- fault model) here as it is needed for building atomic broadcast protocols. 
It can be used to provide agreement on independent transactions. 

The Byzantine agreement protocol is activated when the adversary deliv- 
ers an input action to Pi of the form (/£), in, propose, u), where v € {0,1}. 
When this occurs, we say Pi proposes v for transaction ID. A party terminates 
the Byzantine agreement protocol (for transaction ID) by generating an output 
action of the form {ID, out, decide, v). In this case, we say Pi decides v for trans- 
action ID. Let any protocol message with tag ID or /D| . . . that is generated by 
an honest party be associated to the agreement protocol for ID. 

Definition 1 (Byzantine agreement). A protocol solves Byzantine agree- 
ment if it satisfies the following conditions except with negligible probability: 

Validity: If all honest parties that are activated on aqiven ID propose v, then 
any honest party that terminates for ID decides uu 
Agreement: If an honest party decides v for ID, then any honest party that 
terminates decides v for ID. 

Liveness: If all honest parties have been activated on ID and all associated 
messages have been delivered, then all honest parties have decided for ID. 
Efficiency: For every ID, the communication complexity for ID is probabilisti- 
cally uniformly bounded. 

2.3 Cryptographic Primitives 

Apart from ordinary digital signature schemes, we use collision-free hashing, 
pseudo-random generators, robust non-interactive dual-threshold signatures P3I, 
threshold public-key encryption schemes and a threshold pseudo-random 
function [IldIBj . Definitions can be found in the full version . 

^ We use the term “validity” for this condition in accordance with most of the literature 
on Byzantine agreement. Alternatively, one might also adopt the terminology of 
fault-tolerant broadcasts m and instead call it “integrity,” to emphasize that it is 
a general safety condition (in contrast to a liveness condition). 
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3 Broadcast Primitives: Verifiable Consistent Broadcast 

Our multi-valued agreement protocol builds on top of a consistent broadcast 
protocol, which is a relaxation of Byzantine reliable broadeast m Consistent 
broadcast provides a way for a distinguished party to send a message to all other 
parties such that two parties never deliver two conflicting messages for the same 
sender and sequence number. In other words, it maintains consistency among the 
actually delivered payloads with the same senders and sequence numbers, but 
makes no provisions that two parties do deliver the payloads. Such a primitive 
has also been used by Reiter m- 

Broadcasts are parameterized by a tag ID, which can also be thought of as 
identifying a broadcast “channel,” augmented by the identity of the sender, j, 
and by a sequence number s. We restrict the adversary to submit a request for 
consistent broadcast tagged with ID.j.s to Pi only if i = j and at most once for 
every sequence number. 

A consistent broadcast protocol is activated when the adversary delivers an 
input action to Pj of the form (/ill.j.s, in, c-broadcast, m), with m G {0,1}* 
and s £ N. When this occurs, we say Pj eonsistently broadeasts m tagged 
with ID.j.s. Only the sender Pj is activated like this. The other parties are 
activated when they perform an explicit open action for instance ID.j.s in their 
role as receivers (this occurs implicitly in our system model when they wait for 
an output tagged with ID.j.s). 

A party terminates a consistent broadcast of m tagged with ID.j.s by gener- 
ating an output action of the form (ID.j.s, out, c-deliver,77i). In this case, we 
say Pi consistently delivers m tagged with ID.j.s. For brevity, we also the terms 
c-broadcast and c-deliver. 

Definition 2 (Authenticated Consistent Broadcast). A protocol for au- 
thenticated consistent broadcast satisfies the following conditions except with 
negligible probability: 

Validity: If an honest party has c-broadcast m tagged with ID.j.s, then all 
honest parties c-deliver m tagged with ID.j.s, provided all honest parties have 
been activated on ID.j.s and the adversary delivers all associated messages. 
Consistency: If some honest party c-delivers m tagged with ID.j.s and another 
honest party c-delivers m' tagged with ID.j.s, then m = m' . 

Authenticity: For all ID, senders j, and sequence numbers s, every honest 
party c-delivers at most one message m tagged with ID.j.s. Moreover, if Pj 
is honest, then m was previously c-broadcast by Pj with sequence number s. 
Efficiency: For any ID, sender j , and sequence number s, the eommunieation 
eomplexity of instance ID.j.s is uniformly bounded. 

The provision that the “adversary delivers all associated messages” is our quan- 
titative counterpart to the traditional “eventual” delivery assumption. 

A party Pi that has delivered a payload message using consistent broadcast 
may want to inform another party Pj about this. Such information might be 
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useful to Pj if it has not yet delivered the message, but can exploit this knowl- 
edge to deliver the payload message itself, maintaining consistency. We call this 
property the verifiability of a consistent broadcast. 

Informally, we use verifiability like this: when Pj claims that it is not yet 
in a state to c-deliver a particular payload message m, then Pi can send a 
single protocol message to Pi and when Pj processes this, it will c-deliver m 
immediately. 

Definition 3 (Verifiability). A consistent broadcast protocol is called verifi- 
able if the following holds, except with negligible probability: When an honest 
party has c-delivered m tagged with ID.j.s, then it can produce a single protocol 
message M that it may send to other parties such that any other honest party 
will c-deliver m tagged with ID.j.s upon receiving M (provided the other party 
has not already done so before). 

We call M the message that completes the verifiable broadcast. This notion 
implies that there is a polynomial-time computable predicate Vio.j.s that the 
receiving party can apply to an arbitrary bit string for checking if it constitutes 
a message that completes a verifiable broadcast tagged with ID.j.s. 

A protocol for verifiable authenticated consistent broadcast (denoted VCBC) 
is given in the full version 0 . It is inspired by the “echo broadcast” of Reiter m 
and based on a threshold signature scheme. Its message complexity is 0{n) and 
its bit complexity is 0{n{\m\-\-K)), assuming the length of a threshold signature 
and a signature share is at most K bits. 

4 Validated Byzantine Agreement 

The standard notion of validity for Byzantine agreement implements a binary 
decision and requires that only if all honest parties propose the same value, this 
is also the agreement value. No particular outcome is guaranteed otherwise. Ob- 
viously, this still ensures that the agreement value was proposed by some honest 
party for the binary case. But it does not generalize to multi-valued Byzantine 
agreement, and indeed, all previous protocols for multi-valued agreement ITKEni 
im may fall back to a default value in this case, and decide for a value that no 
honest party proposed. 

We solve this problem by introducing an external validity condition, which 
requires that the agreement value is legal according to a global, polynomial-time 
computable predicate, known to all parties and determined by the particular 
higher-level application. 

Validated Byzantine agreement generalizes the primitive of agreement on a 
core set P], which is used in the information-theoretic model for a similar purpose 
(a related protocol was also developed by Ben-Or and El-Yaniv PJ). 

4.1 Definition 

Suppose there is a global polynomial-time computable predicate Qid known 
to all parties, which is determined by an external application. Each party may 
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propose a value v that should satisfy Qid and perhaps contains validation in- 
formation. The agreement domain is not restricted to binary values. 

A validated Byzantine agreement protocol is activated by a message of the 
form (/£), iiii ^-propose, u), where v G {0,1}*. When this occurs, we say Pt 
proposes v for transaction ID. We assume the adversary activates all honest 
parties on a given ID at most once. W.l.o.g., honest parties propose values that 
satisfy Qw- 

A party terminates a validated Byzantine agreement protocol by generating 
a message of the form (/H, out, v-decide, u). In this case, we say Pi decides v 
for transaction ID. 

We say that any protocol message with tag ID that was generated by an 
honest party is associated to the validated Byzantine agreement protocol for ID. 
An agreement protocol may also invoke sub-protocols for low-level broadcasts or 
for Byzantine agreement; in this case, all messages associated to those protocols 
are associated to ID as well (such messages have tags with prefix ID \ . . . ) . 

Definition 4 (Validated Byzantine Agreement). A protocol solves vali- 
dated Byzantine agreement with predicate Qid if it satisfies the following con- 
ditions except with negligible probability: 

External Validity: Any honest party that terminates for ID decides v such 
that Qid{v) holds. 

Agreement: If some honest party decides v for ID, then any honest party that 
terminates decides v for ID. 

Liveness: If all honest parties have been activated on ID and all associated 
messages have been delivered, then all honest parties have decided for ID. 
Integrity: If all parties follow the protocol, and if some party decides v for ID, 
then some party proposed v for ID. 

Efficiency: For every ID, the communication complexity for ID is probabilisti- 
cally uniformly bounded. 

A variation of the validity condition is that an application may prefer one 
class of decision values over others. Such an agreement protocol may be biased 
and always choose the preferred class in cases where other values would have 
been valid as well. 

Validated Byzantine agreement is often used with arguments that consist of 
a “value” part v and a separate “proof” tt that establishes the validity of v. If v 
is a single bit, we call this the problem of binary validated agreement; a protocol 
for this task is used below. 

In fact, we will need a binary validated agreement protocol that is “biased” 
towards 1. Its purpose is to detect whether there is some validation for 1, so 
it suffices to guarantee termination with output 1 if t -I- 1 honest parties know 
the corresponding information at the outset. Formally, a binary validated Byzan- 
tine agreement protocol biased towards I is a protocol for validated Byzantine 
agreement on values in {0, 1} such that the following condition holds: 

Biased Validity: If at least t-l- 1 honest parties propose u = 1 then any honest 
party that terminates for ID decides u = 1. 
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We describe two related protocols for multi-valued validated Byzantine agree- 
ment below: Protocol VBA, described in Section EM needs 0{n) rounds and in- 
vokes 0{n) binary agreement sub-protocols; this can be improved to a constant 
expected number of rounds, resulting in Protocol VBAconst, which is described 
in Section E31 But first we discuss the binary case. 

4.2 Protocols for the Binary Case 

It is easy to see that any binary asynchronous Byzantine agreement protocol can 
be adapted to external validity and can also be biased. 

For example, in the protocol of Cachin, Kursawe, and Shoup 0 one has to 
“justify” the pre- votes of round 1 with a valid “proof” tt. The logic of the protocol 
guarantees that either a decision is reached immediately or the validations for 0 
and for 1 are seen by all parties in the first two rounds. Furthermore, the protocol 
can be biased towards 1 by modifying the coin such that it always outputs 1 in 
the first round. 



4.3 A Protocol for the Multi-valued Case 

We now describe Protocol VBA that implements multi-valued validated Byzan- 
tine agreement. 

The basic idea is that every party proposes its value as a candidate value 
for the final result. One party whose proposal satisfies the validation predicate 
is then selected in a sequence of binary Byzantine agreement protocols and this 
value becomes the final decision value. More precisely, the protocol consists of 
the following steps. 

Echoing the proposal (lines 1—4): Each party Pi c-6roadcasts the value that 
it proposes to all other parties using verifiable authenticated consistent 
broadcast. This ensures that all honest parties obtain the same proposal 
value for any particular party, even if the sender is corrupted. Then Pi waits 
until it has received n — t proposals satisfying Qjo before entering the agree- 
ment loop. 

Agreement loop (lines 5—20): One party is chosen after another, according 
to a fixed permutation II of {1, . . . , n}. Let a denote the index of the party 
selected in the current round (Pa is called the “candidate”). Each party Pi 
carries out the following steps for Pa- 

1. Send a v-vote message to all parties containing 1 if Pi has received 
Pa’s proposal (including the proposal in the vote) and 0 otherwise (lines 
6 - 11 ). 

2. Wait for n — t v-vote messages, but do not count votes indicating 1 
unless a valid proposal from Pa has been received — either directly or 
included in the v-vote message (lines 12-13). 

3. Run a binary validated Byzantine agreement biased towards 1 to de- 
termine whether Pa has properly broadcast a valid proposal. Vote 1 if 
Pi has received a valid proposal from Pa and add the protocol message 
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Protocol VBA for party Pi, tag ID, and validation predicate Q/d 

Let ViD\a{{v,p}) be the following predicate: 

ViD\a{iv,p)) = (n = 0)or 

(t; = 1 and p completes the verifiable authenticated c-broadcast of 
a message (v-echo,ina) with tag ID.a.O such that Qid{wo) holds) 

Upon receiving message (ID, in, v-propose, tn): 

1: verifiably authenticatedly c-broadcast message (v-echo,tc) tagged 
with ID|vcbc.*.0 
2: Wj <— J- (1 < i < u) 

3: wait for n — t messages (v-echo,«)j) to be c-delivered with tag ID|vcbc.j.O 
from distinct Pj such that Q id (wj) holds 
4: I <-0 
5: repeat 

6: 1 1 — I a t — H(0 

7: if Wa = A then 

8: send the message {ID, v-vote, a, 0, _L) to all parties 

9: else 

10: let p be the message that completes the c-broadcast with tag ID|vcbc.a.O 

11: send the message (ID, v-vote, a, 1, p) to all parties 

12: Uj -I — _L; pj t — _L (1 ^ I ^ ir) 

13: wait for n — t messages {ID, v-vote, a, uj , pj) from distinct Pj such 

that ViD\a{{uj,pj)) holds 
14: if there is some Uj = 1 then 

15: v<^{l,pj) 

16: else 

17: t<-(0,_L) 

18: propose v for ID |o in binary validated Byzantine agreement biased 

towards 1, with predicate ViD\a 

19: wait for the agreement protocol to decide some {b, a) for ID|a 

20: until 6=1 

21: if Wa — -i- then 

22: use a to complete the verifiable authenticated c-broadcast with tag 

IDjvcbc.a.O and c-deliver (ID, v-echo, Wa) 

23: output (ID, out, v-decide,Wa) 

24: halt 



Fig. 1. Protocol VBA for multi-valued validated Byzantine agreement. 
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that completes the verifiable broadcast of Pa’s proposal to validate this 
vote. Otherwise, if Pi has received n — t v-vote messages containing 0, 
vote 0; no additional information is needed. If the agreement decides 1, 
exit from the loop (lines 14-20). 

Delivering the chosen proposal (lines 21—24): If Pi has not yet c- delivered 
the broadcast by the selected candidate, obtain the proposal from the value 
returned by the Byzantine agreement. 

The full protocol is shown in Figure ^ 

Theorem 1. Given a protocol for biased binary validated Byzantine agreement 
and a protocol for verifiable authenticated consistent broadcast, Protocol VBA 
provides multi-valued validated Byzantine agreement for n > 3t. 

The message complexity of Protocol VBA is 0{tn^) if Protocol VCBC jS] 
is used for verifiable consistent broadcast and the binary validated Byzantine 
agreement is implemented according to Section El 

If all parties propose v and tt that are together no longer than L bits, the 
communication complexity in the above case is 0{n^{tK + L)), assuming the 
length of a threshold signature and a signature share is at most K bits. For a 
constant fraction of corrupted parties, however, both values are cubic in n. 



4.4 A Constant-Round Protocol for Multi-valued Agreement 

In this section we present Protocol VBAconst, which is an improvement of the 
protocol in the previous section that guarantees termination within a constant 
expected number of rounds. The drawback of Protocol VBA above is that the 
adversary knows the order 77 in which the parties search for an acceptable can- 
didate, i.e., one that has broadcast a valid proposal. Although at least one third 
of all parties are guaranteed to be accepted, the adversary can choose the cor- 
ruptions and schedule messages such that none of them is examined early in the 
agreement loop. 

The remedy for this problem is to choose 77 randomly during the protocol 
after making sure that enough parties are already committed to their votes on 
the candidates. This is achieved in two steps. First, one round of commitment 
exchanges is added before the agreement loop. Each party must commit to the 
votes that it will cast by broadcasting the identities of the n — t parties from 
which it has received valid v-echo messages (using at least authenticated consis- 
tent broadcast). Honest parties will later only accept v-vote messages that are 
consistent with these commitments. The second step is to determine the permu- 
tation 77 using a threshold coin-tossing scheme that outputs a pseudo-random 
value, after enough votes are committed. Taken together, these steps ensure 
that the fraction of parties which are guaranteed to be accepted are distributed 
randomly in 77, causing termination in a constant expected number of rounds. 

The details of Protocol VBAconst are described in Figure |2| as modifications 
to Protocol VBA. 
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Protocol VBAconst for party Pi, tag ID, and validation predicate Qid 
Modify Protocol VBA for party P,, tag ID, and validation predicate Qw as follows: 



1. Initialize and distribute the shares for an (n, f + l)-threshold coin-tossing scheme C\ 
with A)"-bit outputs during system setup. Recall that this defines a pseudorandom 
function F. Let G be a pseudorandom generator according to Section 2.3. 

2. Include the following instructions between lines 3 and 4 of Protocol VBA, before 
entering the agreement loop: 



1 : Cj 



1 if Wj 7^ J. 
0 otherwise 



(1 < i < n) 



2; G ■<— [ci, . . . , Cn] 

3: authenticatedly c-hroadcast the message (v-commit, G) tagged with ID\cbc.i.O 
4: Cj ± (1 < i < n) 

5: wait for n — t messages (v-commit, Gj) to be c-delivered with tag ID\chc.j.O 
such that at least n — t entries in Cj are 1 
6: generate a coin share 7 of the coin /R|vba and send the message {ID, v-coin, 7) 
to all parties 

7: wait for t -I- 1 v-coin messages containing shares of the coin ID|vba and 
combine these to get the value S = F(/R|vba) G {0, 1}*^ 

8; choose a random permutation 77, using the pseudorandom generator G with 
seed S. 



3. Modify the condition for accepting v-vote messages (line 13) inside the agree- 
ment loop such that (v-vote, a, 0, ±) from Pj is accepted only if Cj is known and 
Cj[a\ = 0. (This involves also waiting for additional messages (v-commit, Cj) to be 
c-delivered as above.) 



Fig. 2. Protocol VBAconst for multi-valued validated Byzantine agreement. 



Theorem 2. Given a protocol for biased binary validated Byzantine agreement 
and a protocol for verifiable consistent broadcast, Protocol VBAconst provides 
multi-valued validated Byzantine agreement for n > 3t and invokes a constant 
expected number of binary Byzantine agreement sub-protocols. 

The expected message complexity of Protocol VBAconst is 0{n^) if Proto- 
col VCBC 0 is used for consistent verifiable broadcast and the binary validated 
Byzantine agreement is implemented according to Section 14.21 

If all parties propose v and tt that are together no longer than L bits, the 
expected communication complexity in the above case is 0{n^ -I- n^{K -\- L)), 
assuming a digital signature is K bits. The n^-term, which results from broad- 
casting the commitments, has actually a very small hidden constant because the 
commitments can be represented as bit vectors. 

5 Atomic Broadcast 

Atomic broadcast guarantees a total order on messages such that honest parties 
deliver all messages with a common tag in the same order. It is well known that 
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protocols for atomic broadcast are considerably more expensive than those for 
reliable broadcast because even in the crash-fault model, atomic broadcast is 
equivalent to consensus [S] and cannot be solved by deterministic protocols. The 
atomic broadcast protocol given here builds directly on multi-valued validated 
Byzantine agreement from the last section. 

5.1 Definition 

Atomic broadcast ensures that all messages broadcast with the same tag ID are 
delivered in the same order by honest parties; in this way, ID can be interpreted 
as the name of a broadcast “channel.” The total order of atomic broadcast yields 
an implicit labeling of all messages. 

An atomic broadcast is activated when the adversary delivers an input mes- 
sage to Pi of the form {ID, in, a-broadcast, m), where m G {0, 1}*. When this 
occurs, we say Pi atomically broadcasts m with tag ID. “Activation” here refers 
only to the broadcast of a particular payload message; the broadcast channel ID 
must be opened before the first such request. 

A party terminates an atomic broadcast of a particular payload by generating 
an output message of the form {ID, out, a-deliver, m). In this case, we say Pi 
atomically delivers m with tag ID. To distinguish atomic broadcast from other 
forms of broadcast, we will also use the terms a-broadcast and a-deliver. 

The acknowledgement mechanism needed for composition of atomic broad- 
cast with other protocols is omitted from this extended abstract. 

Again, the adversary must not request an a-broadeast of the same payload 
message from any particular party more than once for each ID (however, several 
parties may a-broadeast the same message). 

Atomic broadcast protocols should be fair so that a payload message m 
is scheduled and delivered within a reasonable (polynomial) number of steps 
after it is a-broadcast by an honest party. But since the adversary may delay 
the sender arbitrarily and a-deliver an a priori unbounded number of messages 
among the remaining honest parties, we can only provide such a guarantee when 
at least t -I- 1 honest parties become “aware” of m. Our definitions of validity 
and of fairness require actually that only after t -\- 1 honest parties have a- 
broadeast some payload, it will be delivered within a reasonable number of steps. 
This is also the reason for allowing multiple parties to a-broadeast the same 
payload message — a client application might be able to satisfy this precondition 
through external means and achieve guaranteed fair delivery in this way. Fairness 
can be interpreted as a termination condition for the broadcast of a particular 
payload m. 

The efficiency condition (which ensures fast termination) for atomic broad- 
cast differs from the protocols discussed so far because the protocol for a par- 
ticular tag cannot terminate on its own. It merely stalls if no more undelivered 
payload messages are in the system and must be terminated externally. Thus, 
we cannot define efficiency using the absolute number of protocol messages gen- 
erated. Instead we measure the progress of the protocol with respect to the 
number of messages that are a-delivered by honest parties. In particular, we 
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require that the number of associated protocol messages does not exceed the 
number of a-delivered payload messages times a polynomial factor, independent 
of the adversary. 

We say that a protocol message is associated to the atomic broadcast protocol 
with tag ID if and only if the message is generated by an honest party and tagged 
with ID or with a tag ID \ . . . starting with ID. In particular, this encompasses 
all messages of the atomic broadcast protocol with tag ID generated by honest 
parties and all messages associated to basic broadcast and Byzantine agreement 
sub-protocols invoked by atomic broadcast. 

Fairness and efficiency are defined using the number of payload messages in 
the “implicit queues” of honest parties. We say that a payload message m is in 
the implicit queue of a party Pi (for channel ID) if Pi has a-broadcast m with 
tag ID, but no honest party has a-delivered m tagged with ID. The system queue 
contains any message that is in the implicit queue of some honest party. We say 
that one payload message in the implicit queue of an honest party Pi is older 
than another if Pi a-broadcast the first message before it a-broadcast the second 
one. 

When discussing implicit queues at particular points in time, we consider a 
sequence of events Ei, . . . , Eyn during the operation of the system, where each 
event but the last one is either an a-broadcast or a-delivery by an honest party. 
The phrase “at time r” for 1 < r < k'" refers to the point in time just before 
event Er occurs. 

Definition 5 (Atomic Broadcast). A protocol for atomic broadcast satisfies 
the following conditions except with negligible probability: 

Validity: There are at most t honest parties with non-empty implicit queues for 
some channel ID, provided the adversary opens channel ID for all honest 
parties and delivers all associated messages. 

Agreement: If some honest party has a-delivered m tagged with ID, then all 
honest parties a-deliver m tagged with ID, provided the adversary opens 
channel ID for all honest parties and delivers all associated messages. 
Total Order: Suppose an honest party Pi has a-delivered mi, . . . ,ms with tag 
ID, a distinct honest party Pj has a-delivered m (, . . . , m(, with tag ID, and 
s < s'. Then mi = mj for 1 <l < s. 

Integrity: For all ID, every honest party a-delivers a payload message m at 
most once tagged with ID. Moreover, if all parties follow the protocol, then 
m was previously a-broadcast by some party with tag ID. 

Fairness: Fix a particular protocol instance with tag ID. Consider the system 
at any point in time tq where there is a set T of t -\- 1 honest parties with 
non-empty implicit queues, let A4 be the set consisting of the oldest payload 
message for each party in T, and let Sq denote the total number of distinct 
payload messages a-delivered by any honest party so far. Define a random 
variable U as follows: let U be the total number of distinct payload messages 
a-delivered by honest parties at the point in time when the first message in 
A4 is a-delivered by any honest party, or let U = So if this never occurs. 
Then U — So is uniformly bounded. 
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Efficiency: For a particular protocol instance with tag ID, let X denote its 
communication complexity, and let Y be the total number of distinct payload 
messages that have been a-delivered by any honest party with tag ID . Then, 
at any point in time, the random variable Xj(Y + 1) is probabilistically uni- 
formly bounded. 

5.2 A Protocol for Atomic Broadcast 

Our Protocol ABC for atomic broadcast uses a secure digital signature scheme 
S and proceeds as follows. Each party maintains a FIFO queue of not yet a- 
delivered payload messages. Messages received to a-broadcast are appended to 
this queue whenever they are received. The protocol proceeds in asynchronous 
global rounds, where each round r consists of the following steps: 

1. Send the first payload message w in the current queue to all parties, accom- 
panied by a digital signature a in an a-queue message. 

2. Collect the a-queue messages of n — t distinct parties and store them in a 
vector W, and propose W for validated Byzantine agreement. 

3. Perform multi-valued Byzantine agreement with validation of a vector of tu- 
ples W = [(wi, (7i), . . . , (wn, cr„)] through the predicate Q/£i|abc r(^) which 
is true if and only if for at least n — t distinct tuples j, the string (jj is a 
valid 5-signature on (ID, a-queue, r,j, by Pj. 

4. After deciding on a vector V of messages, deliver the union of all payload 
messages in V according to a deterministic order; proceed to the next round. 

In order to ensure liveness of the protocol, there are actually two ways in 
which the parties move forward to the next round: when a party receives an a- 
broadcast input message (as stated above) and when a party with an empty queue 
receives an a-queue message of another party pertaining to the current round. 
If either of these two messages arrive and contain a yet undelivered payload 
message, and if the party has not yet sent its own a-queue message for the 
current round, then it enters the round by appending the payload to its queue 
and sending an a-queue message to all parties. 

The detailed description of Protocol ABC is given in Figure 01 The FIFO 
queue q is an ordered list of values (initially empty). It is accessed using the 
operations append, remove, and first, where append{q, m) inserts m into q at the 
end, remove{q,m) removes m from q (if present), and first{q) returns the first 
element in q. The operation m G q tests if an element m is contained in q. 

A party waiting at the beginning of a round simultaneously waits for an 
a-broadcast and an a-queue message containing some w ^ d in line 2. If it 
receives an a-broadcast request, the payload m is appended to q. If only a suitable 
a-queue protocol message is received, the party makes w its own message for 
the round, but does not append it to q. 

Theorem 3. Given a protocol for multi-valued validated Byzantine agreement 
and assuming S is a secure signature scheme, Protoeol ABC provides atomic 
broadcast for n > 3t. 



Secure and Efficient Asynchronous Broadcast Protocols 539 



Protocol ABC for party Pi and tag ID 

Let Qio\a.hc.T the following predicate: 

Q/niabc.r ([(“'ll ^i)> • • ■ ) Tn)]) = for at least n — t distinct aj is a valid 

5-signature by Pj on (ID, a-queue, r, Wj) 

Initialization: 

g ■<— [| {FIFO queue of messages to a-broadcast} 

d {set of a-delivered messages} 

r t— 0 {current round} 

Upon receiving message (ID, in, a-broadcast, m): 
if TO ^ d and m ^ q then 
append{q, m) 

Forever: 

1: Wj t— -L; (7j <— -L (1 < J < u) 

2: wait for g / [] or a message (ID, a-queue, r, I, wi,ai) received from P; 

such that wi ^ d and ct; is a valid signature from P; 

3: if g # 0 then 
4: U! -I— first{q) 

5: else 
6: vj wi 

7: compute a digital signature a on (ID, a-queue, r,i, w) 

8: send the message (ID, a-queue, r, i, w, a) to cdl parties 
9: wait for n — t messages (ID, a-queue, r, j, Wj , aj) such that <Tj is a valid 
signature from Pj (including the message from Pi above) 

10: W t- [{wi,ai), . . . ,{Wn,CTn)] 

11: propose W for multi-valued validated Byzantine agreement for ID|abc.r 
with predicate Qio\abc.r 

12: wait for the validated Byzantine agreement protocol to decide some 
V = [(i;i,ri), . . . , {vn,Tn)] for ID|abc.r 

13: 6 t- U"=i 

14: for m G (6 \ d), in some deterministic order do 
lo: output (ID, out, a-deliver, m) 

16: d i- dU {m} 

17: remove(q,m) 

18: r <- r + l 



Fig. 3. Protocol ABC for atomic broadcast using multi-valued validated Byzantine 
agreement. 
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The message complexity of Protocol ABC to broadcast one payload message 
m is dominated by the number of messages in the multi-valued validated Byzan- 
tine agreement; the extra overhead for atomic broadcast is only O(n^) messages. 
The same holds for the communication complexity, but the proposed values have 
length 0{n{\m\ + K)), assuming digital signatures of length K bits. 

With Protocol VBAconst from Section El the total expected message com- 
plexity is 0{v?) and the expected communication complexity is 0{n^\m\) for an 
atomic broadcast of a single payload message. 

6 Secure Causal Atomic Broadcast 

Secure causal atomic broadcast is a useful protocol for building secure appli- 
cations that use state machine replication in a Byzantine setting. It provides 
atomic broadcast, which ensures that all recipients receive the same sequence 
of messages, and also guarantees that the payload messages arrive in an order 
that maintains “input causality,” a notion introduced by Reiter and Birman nq. 
Informally, input causality ensures that a Byzantine adversary may not ask the 
system to deliver any payload message that depends in a meaningful way on a 
yet undelivered payload sent by an honest client . This is very useful for delivering 
client requests to a distributed service in applications that require the contents 
of a request to remain secret until the system processes it. Input causality is 
related to the standard causal order, which goes back to Lamport El; causal- 
ity is a useful safety property for distributed systems with crash failures, but is 
actually not well defined in the Byzantine model uni- 

input causality can be achieved if the sender encrypts a message to broadcast 
with the public key of a threshold cryptosystem for which all parties share the 
decryption key m The ciphertext is then broadcast using an atomic broadcast 
protocol; after delivering it, all parties engage in an additional round to recover 
the message from the ciphertext. 

The definition and an implementation of secure causal atomic broadcast on 
top of atomic broadcast can be found in the full version 0. 
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Abstract. The public- key model for interactive proofs has proved to 
be quite effective in improving protocol efficiency We argue, 

however, that its soundness notion is more subtle and complex than in 
the classical model, and that it should be better understood to avoid 
designing erroneous protocols. Specifically, for the public-key model, we 

— identify four meaningful notions of soundness; 

— prove that, under minimal complexity assumptions, these four no- 
tions are distinct; 

— identify the exact soundness notions satisfied by prior interactive 
protocols; and 

— identify the round complexity of some of the new notions. 



1 Introduction 

The Bare Public-Key Model for Interactive Proofs. A novel pro- 
tocol model, which we call the hare public-key (BPK) model, was introduced 
by Canetti, Goldreich, Goldwasser and Micali in the context of resettable zero- 
knowledge . Although introduced with a specific application in mind, 

the BPK model applies to interactive proofs in general, regardless of their knowl- 
edge complexity. The model simply assumes that the verifier has a public key, 
PK , that is registered before any interaction with the prover begins. No special 
protocol needs to be run to publish PK, and no authority needs to check any 
property of PK . It suffices for PK to be a string known to the prover, and chosen 
by the verifier prior to any interaction with him. 

The BPK model is very simple. In fact, it is a weaker version of the fre- 
quently used public-key infrastructure (PKI) model, which underlies any public- 
key cryptosystem or digital signature scheme. In the PKI case, a secure asso- 
ciation between a key and its owner is crucial, while in the BPK case no such 
association is required. The single security requirement of the BPK model is 
that a bounded number of keys (chosen beforehand) are “attributable” to a 
given user. Indeed, having a prover V work with an incorrect public key for a 
verifier V does not affect soundness nor resettable zero-knowledgeness; at most, 
it may affect completeness. (Working with an incorrect key may only occur when 
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an active adversary is present — in which case, strictly speaking, completeness 
does not even apply: this fragile property only holds when all are honest.) 

Despite its apparent simplicity, the BPK model is quite powerful. While re- 
settable zero-knowledge (RZK) protocols exist both in the standard and in the 
BPK models [(XKflVKin] . only in the latter case can they be constant-round, at 
least in a black box sense (even the weaker notion of concurrent zero knowl- 
edge is not black-box implementable in a constant number of rounds 

[K IK PKOTp . Indeed, the BPK model was introduced precisely to improve the 
round efficiency of RZK protocols. 



The Problem of Soundness in the Bare Public-Key Model. Despite 
its simple mechanics, we argue that the soundness property of the bare public- 
key model has not been understood, and indeed is more complex than in the 
classical case. 

In the classical model for interactive proofs, soundness can be defined quite 
easily: essentially, there should be no efficient malicious prover V* that can 
convince V of the verity of a false statement with non-negligible probability. This 
simple definition suffices regardless of whether V* interacts with the verifier only 
once, or several times in a sequential manner, or several times in a concurrent 
manner. The reason for this sufficiency is that, in the standard model, V is 
polynomial-time and has no “secrets” (i.e., all of its inputs are known to V*). 
Thus, if there were a V* successful “against a multiplicity of verifiers,” then 
there would also be a malicious prover successful against a single verifier V: it 
would simply let V* interact with V while “simulating all other verifiers.” 

In the BPK model, however, V has a secret key SK , corresponding to its 
public key PK . Thus, V* could potentially gain some knowledge about SK from 
an interaction with V, and this gained knowledge might help P* to convince V 
of a false theorem in a subsequent interaction. Therefore, 

in the BPK model, the soundness property may be affected by the type of 
interaction a malicious prover is entitled to have with the verifier, as well as 
the sheer number of these interactions. 

In addition, other totally new issues arise in the BPK model. For example, should 
V* be allowed to determine the exact false statement of which it tries to convince 
V before or after it sees PKl Should V* be allowed to change that statement 
after a few interactions with V? 

In sum, an increased use of the BPK model needs to be coupled with a better 
understanding of its soundness properties in order designing protocols that are 
unsound (and thus insecure) or “too sound” (and thus, potentially, less efficient 
than otherwise possible). This is indeed the process we start in this paper. 

Four Notions of Soundness in the Bare Public-Key Model. Having 
identified the above issues, we formalize four meaningful notions of soundness 
in the BPK model. (These notions correspond in spirit to the commonly used 
notions of zero knowledge in the standard model. That is, the ways in which 
a malicious prover is allowed to interact with the honest verifier correspond to 
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those in which a malicious verifier is allowed to interact with the honest prover 
in various notions of zero knowledgeness.) Roughly speaking, here are the four 
notions, each of which implies the previous one: 

1. one-time soundness, when V* is allowed a single interaction with V per 
theorem statement; 

2. sequential soundness, when V* is allowed multiple but sequential inter- 
actions with V; 

3. concurrent soundness, when V* is allowed multiple interleaved interac- 
tions with the same V; and 

4. resettable soundness, when V* is allowed to reset V with the same random 
tape and interact with it concurrently. 

All four notions are meaningful. Sequential soundness (the notion implicitly used 
in j( XldMOnp is certainly a very natural notion, and concurrent and resettable 
soundness are natural extensions of it. As for one-time soundness, it is also quite 
meaningful when it is possible to enforce that a prover who fails to convince 
the verifier of the verity of a given statement S does not get a second chance at 
proving S. (E.g., the verifier may memorize the theorem statements for which 
the prover failed; or make suitable use of timestamps.) 

These four notions of soundness apply both to interactive proofs (where a 
malicious prover may have unlimited power |(lMR.89j l and argument systems 
(where a malicious prover is restricted to polynomial time mm)- 

Separating the Four Notions. We prove that the above four notions are 
not only meaningful, but also distinct. Though conceptually important, these 
separations are technically simple. They entail exhibiting three protocols, each 
satisfying one notion but not the next one; informally, we prove the following 
theorems. 

Theorem 1. If one-way functions exist, there is a eompiler-type algorithm that, 
for any language L, and any interactive argument system for L satisfying one- 
time soundness, produces another interactive argument system for the same lan- 
guage L that satisfies one-time soundness but not sequential soundness. 

Theorem 2. If one way functions exist, there is a compiler-type algorithm that, 
for any language L, and any argument system for L satisfying sequential sound- 
ness, produces another argument system for the same language L that satisfies 
sequential soundness but not eoncurrent soundness. 

Theorem 3. There exists a eompiler-type algorithm that, for any language L, 
and any interactive proof (or argument) system for L satisfying concurrent 
soundness, produces another interactive proof (respectively, argument) system 
for the same language L that satisfies concurrent soundness but not resettable 
soundness. 

Note that our separation theorems hold with complexity assumptions that are 
indeed minimal: the third theorem holds unconditionally; while the first and 
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second rely only on the existence of one-way functions. (This is why Theorems 
1 and 2 only hold for bounded provers). 

Realizing that there exist separate notions of soundness in the BPK model 
is crucial to avoid errors. By relying on a single, undifferentiated, and intuitive 
notion of soundness, one might design a BPK protocol sound in settings where 
malicious provers are limited in their interactions, while someone else might 
erroneously use it in settings where malicious provers have greater powers. 

The Exact Soundness of Prior Protocols in the BPK Model. Having 
realized that there are various notions of soundness and that it is important to 
specify which one is satisfied by any given protocol, a natural question arises: 
what type of soundness is actually enjoyed hy the already existing protocols in 
the BPK model? 

There are right now two such protocols: the original RZK argument proposed 
in |(Xf(flVl(ir!) and the 3-round RZK argument of |Mh{l)l| (the latter holding in 
a BPK model with a counter). Thus we provide the following answers: 

1. The CGGM protocol is sequentially sound, and probably no more than that. 
That is, while it is sequentially sound, we provide evidence that it is NOT 
concurrently sound. 

2. The MR protocol is exactly concurrently sound. That is, while it is concur- 
rently sound, we prove that it is NOT resettably sound. 

(As we said, the MR protocol works in a stronger public-key model, but all 
our notions of soundness easily extend to this other model.) 

The Round Complexity of Soundness in the BPK Model. Since we 
present four notions of soundness, each implying the previous one, one may con- 
clude that only the last one should be used. However, we shall argue that achiev- 
ing a stronger notion of soundness requires using more rounds. Since rounds 
perhaps are the most expensive resource in a protocol, our lowerbounds justify 
using weaker notions of soundness whenever possible. 

To begin with, we adapt an older lowerbound of ffTKm to prove the following 
theorem. 

Theorem 4. Any (resettable or not) black-box ZK protocol satisfying concurrent 
soundness in the BPK model for a language L outside of BPP requires at least 
four rounds. 

However, whether such an RZK protocol exists remains an open problem. A 
consequence of the above lowerbound is that, in any application in which four 
rounds are deemed to be too expensive, one needs either to adopt a stronger 
model (e.g., the public-key model with counter of |M^1| b or to settle for 3- 
round protocols satisfying a weaker soundness propertjtl We thus provide such 
a protocol; namely, we prove the following theorem. 

^ It is easy to prove that one cannot obtain fewer rounds than three, using the theorem 
from inuMi stating that, in the standard model, 2-round auxiliary-input ZK is 
impossible for non-trivial languages. 
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Theorem 5. Assuming the security of RSA with large prime exponents against 
subexponentially- strong adversaries, for any L G NP, there exists a 3-round 
black-box RZK protocol in the BPK model that possesses one-time, but not se- 
quential, soundness. 

Whether the BPK model allows for 3-round, sequentially sound, ZK protocols 
remains an open problem. It is known that four rounds suffice in the standard 
model for ZK protocols ESHH], and therefore also in the BPK model. However, 
in the following theorem we show that in the BPK model four rounds suffice 
even for resettable ZK. 

Theorem 6. Assuming there exist certified trapdoor permutation familie^ se- 
cure against subexponentially- strong adversaries, for any L G NP, there exists 
a 4-round black-box RZK protocol in the BPK model that possesses sequential 
soundness. 

2 Four Notions of Soundness 

Note: For the sake of brevity, in this section we focus exclusively on arguments, 
rather than proofs (i.e., the malicious prover is limited to polynomial time, and 
soundness is computational). All the currently known examples of protocols in 
the BPK model are arguments anyway, because they enable a malicious prover to 
cheat if it can recover the secret key SK from the public key PK . Our definitions, 
however, can be straightforwardly modified for proofs. (Note that the BPK model 
does not rule out interactive proofs: in principle, one can make clever use of a 
verifier public key that has no secrets associated with it.) 

In this section, we formally define soundness in the BPK model, namely that a 
malicious prover should be unable to get the verifier to accept a false statement 0 
For the sake of brevity, we focus only on soundness. The notions of completeness 
(which is quite intuitive) and resettable zero-knowledgeness (previously defined 
in |(XKIM()n) l are provided in Appendix 0 



The Players 

Before providing the definitions, we need to define the parties to the game: the 
honest V and V and the various malicious impostors. Let 

^ A trapdoor permutation family is certified if it is easy to verify that a given function 
belongs to the family. 

^ It is possible to formalize the four notions of soundness by insisting that the verifier 
give zero knowledge to the (one-time, sequential, concurrent or resetting) malicious 
prover. This would highlight the correspondence of our soundness notions to the 
notions of zero-knowledge, and would be simpler to define, because the definitions 
of zero-knowledge are already well established. However, such an approach is an 
overkill, and would result in unnecessarily restrictive notions of soundness in the 
BPK model: we do not care if the prover gains knowledge so long as the knowledge 
does not allow the prover to cheat. 



Soundness in the Public-Key Model 



547 



A public file F be a polynomial-size collection of records {id, PKid), where 
id is a string identifying a verifier, and PKid is its (alleged) public key. 

An (honest) prover V (for a language Lj be an interactive deterministic 
polynomial-time TM that is given as inputs (1) a security parameter 1”, (2) 
a n-bit string x € L, (3) an auxiliary input y, (4) a public file F, (5) a verifier 
identity id, and (6) a random tape to. 

An (honest) verifier V be an interactive deterministic polynomial-time TM 
that works in two stages. In stage one (the key-generation stage), on input 
a security parameter 1” and random tape r, V outputs a public key PK 
and the corresponding secret key SK. In stage two (the verification stage), 
on input SK , and n-bit string x and a random string p, V performs an 
interactive protocol with a prover, and outputs “accept x” or “reject xP 
For simplicity of exposition, fixing SK and p, one can view the verification 
stage of V as a non-interactive TM that is given x and the entire history 
of the messages already received in the interaction, and outputs the next 
message to be sent, or “accept x”/ “reject xP This view allows one to think 
of V{SK , p) as a simple deterministic oracle, which is helpful in defining the 
notion of resettable soundness below (however, we will use the interactive 
view of V in defining one-time, sequential and concurrent soundness) . 

A s-sequential malicious prover V* for a positive polynomial s be a prob- 
abilistic polynomial-time TM that, on first input 1”, runs in at most s(n) 
stages, so that 

1. In stage 1, V* receives a public key PK and outputs a string x\ of length 

n. 

2. In every even stage, V* starts in the final configuration of the previous 
stage and performs a single interactive protocol: it outputs outgoing 
messages and receives incoming messages (the machine with which it 
performs the interactive protocol will be specified below, in the definition 
of sequential soundness). It can choose to abort an even stage at any 
point and move on to the next stage by outputting a special message. 

3. In every odd stage i > 1, P* starts in the final configuration of the 
previous stage and outputs a string Xi of length n. 

An s-concurrent malicious prover V* , for a positive polynomial s, be a prob- 
abilistic polynomial-time TM that, on inputs 1" and PK , performs at most 
s(n) interactive protocols as follows: 

1. If V* is already running i — 1 interactive protocols 1 < f — 1 < s(n), it 
can output a special message “Start Xj,” where Xi is a string of length 

n. 

2. At any point it can output a message for any of its (at most s(n)) 
interactive protocols (the protocol is unambiguously identified in the 
outgoing message). It then immediately receives the party’s response 
and continues. 

An s-resetting malicious prover V* , for a positive polynomial s, be a proba- 
bilistic polynomial-time TM that, on inputs 1" and PK , gets access to s(n) 
oracles for the verifier (to be precisely specified below, in the definition of 
resettable soundness). 




548 S. Micali and L. Reyzin 



The Definitions 

A pair (P, V) can satisfy one or more of the four different notions of soundness 
defined below. We note that each subsequent notion trivially implies the previous 
one. 

For the purposes of defining one-time and sequential soundness, we consider 
the following procedure for a given s-sequential malicious prover V* , a verifier 
V and a security parameter n. 

Procedure Sequential- Attack 

1. Run the key-generation stage of V on input 1" and a random string r to 
obtain PK,SK. 

2. Run first stage of V* on inputs 1" and PK to obtain an n-bit string x\. 

3. For i ranging from 1 to s(n)/2: 

3.1 Select a random string pi. 

3.2 Run the 2i-th stage of V* , letting it interact with the verification 
stage of V with input SK , Xi,pi. 

3.3 Run the (2z -|- l)-th stage of V* to obtain an n-bit string xi. 

Definition 1. (P, V) satisfies one-time soundness for a language L if for all 
positive polynomials s, for all s-sequential malicious provers V* , the probability 
that in an execution of Sequential-Attack, there exists i such that 1 <i < s{n), 
Xi ^ L, Xj Xi for all j < i and V outputs “accept xfi’ is negligible in n. 
Sequential soundness differs from one-time soundness only in that the malicious 
prover is allowed to have Xi = Xj for i < j. 

Definition 2. (P, V) satisfies sequential soundness for a language L if for all 
positive polynomials s, for all s-sequential malicious provers V* , the probability 
that in an execution of Sequential-Attack, there exists i such that 1 < t < s{n), 
Xi ^ L, and V outputs “accept Xi” is negligible in n. 

For the purposes of defining concurrent soundness, we consider the following 
procedure for a given s-concurrent malicious prover V* , a verifier V and a security 
parameter n. 

Procedure Concurrent- Attack 

1. Run the key-generation stage of V on input 1" and a random string r to 
obtain PK,SK. 

2. Run V* on inputs 1" and PK . 

3. Whenever V* outputs “Start Xi,'' select a fresh random string pt and let 
the i-th machine with which V* interacts be the verification stage of V on 
inputs SK, Xi, Pi- 

Of course, the multiple instances of V are “unaware” and independent of each 
other, because they are started with fresh random strings. 

Definition 3. (P, V) satisfies concurrent soundness for a language L if for all 
positive polynomials s, for all s-concurrent malicious provers V* , the probability 
that in an execution of Concurrent- Attack, V ever outputs “accept x” for x ^ L 
is negligible in n. 
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Finally, for the purposes of defining resettable soundness, we consider the fol- 
lowing procedure for a given s-resetting malicious prover V* , a verifier V and a 
security parameter n. 

Procedure Resetting- Attack 

1. Run the key-generation stage of V on input 1" and a random string r to 
obtain PK,SK. 

2. Run V* on inputs 1" and PK . 

3. Generate s(n) random strings pi for 1 < t < s(n). 

4. Let V* interact with oracles for the second stage of the verifier, the i-th 
oracle having input SK,pi. 

Note that concurrent soundness and resettable soundness differ in one crucial 
aspect: for the former, every instance of V is an interactive TM that keeps state 
between rounds of communication, and thus cannot be rewound; whereas for the 
latter, every instance of V is just an oracle, and thus can effectively be rewound. 

Definition 4. {P, V) satisfies resettable soundness for a language L if for all 
positive polynomials s, for all s-resetting malicious provers V* , the probability 
that in an execution of Resetting-Attack, V* ever receives “accept x” for x ^ L 
from any of the oracles is negligible in n. 

3 Separating the Four Notions 

The Common Idea 

Given a protocol (P, V) that satisfies the i-th soundness notion (for i = 1,2, or 
3), we deliberately weaken the verifier to come up with a protocol that 

does not satisfy the (i-l-l)-th soundness notion, but still satisfies the i-th. In each 
case, we add rounds at the beginning of the (P, V) (and sometimes information 
to the keys) that have nothing to do with the language or the theorem being 
proven. At the end of these rounds, either V' accepts, or {V' ,V) proceed with 
the protocol (P, V). In each case, it will be easy for a malicious prover for the 
(i -I- l)-th notion of soundness to get V to accept at the end of these additional 
rounds. 

To prove that the resulting protocol (fP' ,V) still satisfies the i-th notion 
of soundness, it will suffice to show that if a malicious prover P'* for {P' ,V') 
exists, then it can be used to construct a malicious prover P* for (P, V). In each 
case, this is easily done: P* simply simulates the additional rounds to P'* (one 
also has to argue that V' interacting with P'* is unlikely to accept during these 
additional rounds). 

Finally, to ensure that zero-knowledgeness of {P, V) is not affected, during 
the additional rounds the honest P' will simply send some fixed values to V' and 
disregard the values sent by V'. 

Each of the subsections below described the specific additional information 
in the keys and the additional rounds. We do not provide the details of proofs, 
as they can be easily derived from the discussion above. 
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Proof of Theorem ^ 

Let F be a pseudorandom function |(f(fiVlbt)j : we denote by Fs{x) the output 
of F with seed s on input x. Note that such functions exist assuming one-way 
functions exist !HTLL99j . Let X denote the theorem that the prover is trying to 
prove to the verifier. 

Add to Key Gen: Generate random n-bit seed s; add s to the secret key SK. 
Add V Step: Set /3 = 0; send [3 to the verifier. 

Add V Step: If /3 = Fs{x), accept and stop. Else send Fs{x) to prover. 

Note that a sequential malicious prover can easily get V' to accept: it finds out 
the value of Fs{x) in the first interaction, and sets (3 = Fg{x) for the second. If, 
on the other hand, the malicious prover is not allowed to use the same x twice, 
then it cannot predict Fg{x) before sending f3, and thus cannot get V' to accept. 



Proof of Theorem 

Let (SigKeyGen, Sign, Ver) be a signature scheme secure against adaptive chosen 
message attacks Note that such a scheme exists assuming one-way 

functions exist |Rom9Qj . 

Add to Key Gen: Generate a key pair {SigPK , SigSK) for the signature 
scheme; add SigPK to the public key PK and SigSK 
to the secret key SK. 



Add 1®* V Step: Set M = 0, and send M to the verifier. 

Add 1®* V Step: 1. Send a signature s of M to the prover. 

2. Let M' be random n-bit string; send M' to prover. 



Add 2"'^ V Step: Set s' = 0. Send s' to the verifier. 

Add 2"'^ V Step: If s' is a valid signature of M', then accept and stop. 

Note that a concurrent malicious prover can easily get V' to accept. It starts 
a protocol with V', sends M = 0, receives M' from V, and then pauses the 
protocol. During the pause, it starts a second protocol, and sends M = M' to 
V' to obtain a signature s of M' in first message from V'. It then resumes the 
first protocol, and sends s' = s to V as its second message, which V' accepts. 

Also note that a sequential malicious prover will most likely not be able to 
come up with a valid signature of M', because of the signature scheme’s security 
against adaptive chosen message attacks. 



Proof of Theorem El 

Add V Step: Set (3 be the string of n zeroes; send /3 to the verifier. 
Add V Step: Set a be a random string. 

If /3 = a, accept and stop. Else send a to the prover. 
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Note that a resetting malicious prover can easily get V' to accept: it finds out 
the value of a in the first interaction, then resets V' with the same random tape 
(and hence the same a, because a comes from V’s random tape) and sets (3 = a 
for the second interaction. A concurrent malicious prover, on the other hand, 
knows nothing about a when it determines (3, and thus cannot get V' to accept. 

Note that this separation holds in the standard model as well — we never used 
the BPK model in this proof. 



4 The “Exact” Soundness of Existing BPK Protocols 



There are only two known protocols in the BPK model, the original one of 
[ICGGMOOj and the one of jMTI (the latter actually working in a slightly 
stronger model). Thus we need to understand which notions of soundness they 
satisfy. 



The CGGM Protocol Is Sequentially but Probably Not Concurrently 
Sound 

Although [( ;GGM(?!T| did not provide formal definitions of soundness in the BPK 
model, their soundness proof essentially shows that their protocol is sequentially 
sound. However, let us (sketchily) explain why it will probably not be possible 
to prove their protocol concurrently sound. 

The CGGM protocol begins with V proving to V knowledge of the secret key 
by means of parallel repetitions of a three-round proof of knowledge subprotocol. 
The subprotocol is as follows: in the first round, V sends to P a commitment, 
in the second round, V sends to V a one-bit challenge] in the third round, V 
sends to P a response. This is repeated k times in parallel in order to reduce the 
probability of V cheating to roughly 2“^. 

In order to prove soundness against a malicious prover P*, these parallel 
repetitions of the subprotocol need to be simulated to P* (by a simulator that 
does not know the secret key). The best known simulation techniques for this 
general type of proof of knowledge run in time roughly 2^ . This exponential in k 
simulation time is not a concern, because of their use of “complexity leveraging” 
in the proof of soundness. Essentially, the soundness of their protocol relies on an 
underlying much harder problem: for instance, one that is assumed to take more 
than 2^*^ time to solve. Thus, the soundness of the CGGM protocol is proved by 
contradiction: by constructing a machine from P* that runs in time 2^ < 2^^ 
and yet solves the underlying harder problem. 

A concurrent malicious prover P*, however, may choose to run L parallel 
copies of V. Thus, to prove soundness against such a P*, the proof-of-knowledge 
subprotocol would have to be simulated Lk times in parallel, and this simulation 
would take roughly 2^^ time. If L > 3, then we will not be able to solve the 
underlying hard problem in time less than 2^^, and thus will not be able to derive 
any contradiction. 
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Thus, barring the emergence of a polynomial-time simulation for parallel 
repetitions of 3-round proofs of knowledge (or a dramatically new proof technique 
for soundness), the CGGM protocol is not provably concurrently sound. 



The MR Protocol Is Concurrently but Not Resettably Sound 

The protocol in |A/1H,Q1I| extends the BPK model with a counter. Namely, there 
is an a-priori polynomial bound B that limits the total number of times the 
verifier executes the protocol, and the verifier maintains state information from 
one interaction to the next via a counter (that can be tested and incremented 
in a single atomic operation) . 

Our soundness notions easily extend to the MR model as well, and their 
soundness proof can be easily modified to yield that their protocol is concurrently 
sound in the new model. However, let us (sketchily) prove here that the MR 
protocol is not resettably sound. 

In the MR protocol, verifier V publishes a public key for a trapdoor commit- 
ment scheme, and then proves knowledge of the trapdoor using non-interactive 
zero-knowledge proof of knowledge (NIZKPK), relative to a jointly generated 
string a. It is easy to see that in the MR protocol, if V* could learn V’s trap- 
door, then he could force V to accept a false theorem. The knowledge-extraction 
requirement of the NIZKPK system guarantees that, by properly selecting cr, one 
could extract the trapdoor from the proof. Now, a malicious resetting prover V* 
has total control over a. Indeed, in the MR protocol cr is the exclusive-or of two 
strings: cr-p provided by the prover in the first round, and a\> provided by the 
verifier in the second round. Thus, V* simply finds out cry by running the pro- 
tocol once, then resets V and provides trp such that the resulting a — a\i ® a-p 
will equal the string that allows V* to extract the trapdoor. 

5 The Cost of Soundness in Zero-Knowledge Proofs 

The BPK model was introduced to save rounds in RZK protocols, but has itself 
introduced four notions of soundness. We have already shown that these notions 
are formally separated. Now, we show that they also have quite different algo- 
rithmic requirements: namely, stronger notions of soundness for ZK protocols 
require more rounds to be implemented. More precisely, we show a lowerbound, 
namely that concurrently sound black-box ZK requires four or more rounds, and 
two upperbounds, namely that one-time-sound RZK can be achieved in three 
rounds (which can be shown optimal using the standard-model lowerbound of 
nna), and that sequential RZK can be achieved in four rounds. 

Note that our lowerbound in the BPK model is not contradicted by the 
existence of the 3-round concurrently-sound protocol of mmm . which is in a 
stronger model, where the verifier has a counter. 

We derive our lowerbound in the BPK model, where there are different no- 
tions of soundness, from the older one of Goldreich and Krawczyk |GK96j for 
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black-box ZK in the standard model, where one-time, sequential and concur- 
rent soundness coincide. Thus, somehow, their proof can be extended to verifiers 
that have public and secret keys, though (as clear from our upperbound) this 
extension fails to apply to some types of soundness. This point is important to 
understanding soundness in the BPK model, and we’ll try to highlight it when 
sketching the lowerbound proof below. 

Our bounds are not tight: we do not know whether 4-round concurrently 
sound RZK protocols exist, nor whether 3-round sequentially sound ZK proto- 
cols exist. Before our work, however, the gap was even wider: the CGGM — 
sequentially sound — RZK protocol had 8 rounds without preprocessing, though 
it could be easily reduced to 5 rounds. 

5.1 No Concurrent Soundness for Black-Box ZK in Three Rounds 

Theorem 0 Any (resettable or not) black-box ZK protocol satisfying concurrent 
soundness in the BPK model for a language L outside of BPP requires at least 
four rounds. 

Proof Sketch. The Goldreich and Krawczyk’s proof that, for languages outside 
of BPP, there are no three-round protocols that are black-box zero-knowledge 
in the standard model, proceeds by contradiction. Assuming the existence of a 
black-box zero-knowledge simulator M, it constructs a BPP machine M for L. 
Recall that M interacts with a verifier in order to output the verifier’s view. On 
input X, M works essentially as follows: it simply runs M on input x, simulating 
a verifier to it. For this simulation, M uses the algorithm of the honest verifier V 
and the messages supplied by M, but ignores the random strings supplied by M 
and uses its own random strings (if the same message is given twice by M , then 
M uses the same random string — thus making the verifier appear deterministic 
to M). If the view that M outputs at the end is accepting, then M concludes 
that X G L. Otherwise, it concludes that x ^ L. 

To show that M is a BPP machine for L, Goldreich and Krawczyk demon- 
strate two statements: that ii x G L, M is likely to output an accepting conver- 
sation, and that ii x ^ L, M is unlikely to output an accepting conversation. 
The first statement follows because, by zero-knowledgeness, M’s output is in- 
distinguishable from the view generated by the true prover and the true verifier 
on input x, and, by completeness, this view is accepting. The second statement 
follows from soundness: if M can output an accepting conversation for x ^ L, 
then one can construct a malicious prover V* that can convince V of the false 
statement “a; G L.” Such a V* needs in essence to “execute M” and simply let 
it interact with V. 

Having V* execute M requires some care. At first glance, because simulator 
M is capable of resetting the verifier, it would seem that, in order to execute M, 
also V* should have this capability. However, for 3-round protocols only, 
show that 

(*) V* can execute M without resetting V, so long as it has one-time access to 

V. 
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Notice that by the term “one-time access” we make retroactive use of our modern 
terminology: |GK96j make no mention of one-time provers, because they work in 
the standard model. However, this terminology allows us to separate their proof 
of (*) into two distinct steps: 

(*') V* can execute M so long as it has concurrent access to V; and 
(*") losing only a polynomial amount of efficiency, concurrent access to V is 
equivalent to one-time access. 

Tedious but straightforward analysis shows that (*') and the rest of their proof — 
except for (*") — carries through in the BPK model (where the 3-round protocol 
is modified to include verifier key generation, and public and secret verifier keys 
are then involved). Step (*"), however, only holds in the standard model (where, 
as we pointed out, one-time, sequential and concurrent soundness coincide). 

In sum, therefore, once verifier keys are introduced, one is left with a con- 
current prover. □ 



5.2 One-Time Sound RZK in Three Rounds 

Theorem 151 Assuming the security of RS A with large prime exponents against 
subexponentially- strong adversaries, for any L G NP, there exists a 3-round 
black-box RZK protocol in the BPK model that possesses one-time, but not se- 
quential, soundness. 

Proof Sketch. The proof of the theorem is constructive: we demonstrate such a 
protocol (7^,V). 



Basic Tools. The protocol (7^, V) relies on three techniques: a pseudorandom 
function PRF jOGM86j . a verifiable random functions VRF fMBVflaj, and a non- 
interactive zero-knowledge (NIZK) proof system (NIP,NIV) |BFM8RIBnMP9Tj . 
Note that both PRFs and NIZKs can be constructed using general assumptions 
and it is only for VRFs that we need the specific RSA assump- 



tion (which is formally stated in Ar)r)endix lH.3l . 

The definitions of NIZKs and VRFs are recalled recalled in Appendix^! Here 
we briefly introduce the notation: 



— The keys VRFPK, VRFSK for VRF are produced by VRFGen. The evalu- 
ation is performed by VRFEval, and the proof is computed by VRFProve. 
The verification is performed by VRFVer. 

— The NIZK proof with security parameter n requires a shared random string 
a of length NI(rLen(n). The proof is computed by NIP and verified by NIV. 
The shared string and the proof together can by simulated by NIS. 



The construction works for any language L for which an NIZK proof system 
exists, and, therefore, for all of NP. 

This construction also uses “complexity leveraging” |C(](]M()()| . although in 
a somewhat unusual way. Namely, let a be the pseudorandomness constant for 
VRF (that is, the output of the VRFEval is indistinguishable from random for 
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circuits of size 2^ , where k is VRF the security parameter). Let 71 be the 
following constant: for all sufficiently large n, the length of the NIZK proof II 
for X £ L oi length n is upper bounded by . Let 72 be the following constant: 
for all sufficiently large n, the length of the NP-witness y for x G L of length n 
is upper bounded by n'^^. We then set 7 = max(7i,72), and e > 7/0. We use 
NIZK with security parameter n and VRF with a (larger) security parameter 
k = n^. This ensures that one can enumerate all potential NIZK proofs il, or all 
potential NP-witnesses y, in time 2”^, which is less than the time it would take 
to break the residual pseudorandomness of VRF (because 2"^ < 2^°). 

The Protocol. For a security parameter n, V generates a key pair for the 
VRF with output length NlCTLen(n) and security parameter k = vl. VRFSK is 
V’s secret key, and VRFPK is V’s public key. 



Public File: 

Common Input: 

V Private Input: 

V Private Input: 



A collection F of records {id, VRFPK id), where VRFPK id 
is allegedly the output of VRFGen(l^) 

An element x G L 

The NP-witness y for x G L; V’s id and the file F; 

a random string w 
A secret key SK 



V Step One: 



1. Using the string w as a seed for PRF, generate a string 
(Tp of length NIcrLen(n) from the inputs x,y and id. 

2. Send a-p to V. 



V Step One: 1. Compute a string ay of length NIcrLen(n) as 

(Tv = VRFEval( VRFS'A, a:), and the VRF proof 
pf = VRFProve( VRFSK, x). 

2. Send cjp and pf to V. 



V Step Two: 1. Verify that (Ty is correct by invoking 

VRFVer( VRFPK, x, t, pf). If not, abort. 

2. Let (7 = (Ty © (Tp. Using NIP((t, x, y), compute and send 
to V the proof II of the statement “a; G L.” 



V Step Two: 1. Let cr = cry © crp. Using NIV((t, x, iT), verify if II is valid 

If so, accept. Else reject. 



As far as we know, the above protocol is the first application of VRFs. The very 
strong properties of this new tool yield surprisingly simple proofs of one-time 
soundness and resettable zero-knowledgeness. 



Completeness and RZK. As usual, completeness of our protocol is easily 
verified. The RZK property can be shown in a way similar to (and simpler than) 
the way is shown in Exsunn] and ma . One simply builds an RZK simulator 
who finds out VRFEval( VRFSK, x) for every pair ( VRFPK, x) that V* is likely 
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to input to V, and then rewinds and uses the NIZK simulator NIS(a;) just like 
the sequential malicious prover described above. 

Soundness. First of all, note that soundness of our protocol is provably not 
sequential, because try depends only on the input x, and hence will repeat if V is 
run with the same x twice. Thus, once a sequential malicious prover V* knows 
(7vi it can run the NIZK simulator NIS(a;) to obtain [a', II'), restart with the 
same x, and use cr^ = a' © cv as its first message and II' as its second message. 

To show one-time soundness, first assume (for simplicity) that V* interacts 
with V only once (we will deal with the general case later) . Then we will construct 
a machine T = {Tj, Te) to break the residual pseudorandomness of the VRF (see 
the definition of VRF in Appendix EJ. Namely, given the public key VRFPK of 
a VRF with security parameter k, Tj runs the first stage of V* on input VRFPK 
to receive a string x. It then checks if a: G L by simply enumerating all potential 
NP witnesses y in time 2”^^ . If it is, then Tj outputs {x, state), where state = 0. 
Otherwise, it runs the second stage of V* to receive ap, and outputs {x, state), 
where state = (x,crp). 

Now, Te receives v, and Te^s job is to find out whether w is a random 
string or VRFEval( VRFSK , x). If state = 0, then Te simply guesses at random. 
Otherwise, state = (x, cp). Let a = ap(Bv. If is a random string, then a is also 
random, so most likely there is no NIZK proof 77 of the statement “a; G V' with 
respect to a (by soundness of the NIZK proof system). Otherwise, v = a\>, so, if 
V* has a better than negligible probability of success, then there is a better than 
negligible probability that 77 exists with respect to a. Thus, Te simply searches 
whether a proof 77 exists (in time 2"^^ ) to determine whether v is random or 
the output of VRFEval. 

Complexity leveraging is crucial here: we are using the fact that the VRF 
is “stronger” than the non-interactive proof system. Otherwise, the output of 
VRFProve (which the prover gets, but T does not) could help a malicious prover 
find 77. By using a stronger VRF, we are ensuring that such 77 will most likely 
not even exist. 

Now we address the general case, when V* is allowed s{n) sequential inter- 
actions with V, and wins if V accepts at least one of them (say, the 7-th one) 
for Xi ^ L. Then Tj simply guesses, at random, the conversation number i for 
which V* will succeed, and simulates conversations before the 7-th one by query- 
ing VRFEval and VRFProve on Xj for j < i (it is allowed to do so, because, in 
one-time soundness, Xj ^ Xi). □ 



5.3 Sequentially Sound RZK in Four Rounds 

Theorem El Assuming there exist certified trapdoor permutation familie^ se- 
cure against subexponentially- strong adversaries, for any L G NP, there exists 

A trapdoor permutation family is certified if it is easy to verify that a given function 
belongs to the family. 
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a 4~Tound black-box RZK protocol in the BPK model that possesses sequential 
soundness. 

Proof Sketch. The proof is, again, constructive. The construction is a modifica- 
tion of the CGGM protocol (which has 8 rounds, and can easily be modified to 
have 5 by combining the first three rounds with later rounds). 

Main Ideas. The GGGM protocol starts with a three-round proof of knowledge 
subprotocol in which V proves to V knowledge of the secret key. After that, V 
proves to V that a graph is three-colorable using a five-round protocol. 

Our main idea is to replace the five-round protocol with a single round using 
non-interactive zero-knowledge. The first three rounds are then used both for 
the proof of knowledge and for agreeing on a shared random auxiliary string 
cr needed for the NIZK proof. To agree on a, V sends to V an encryption of a 
random string a\>, V sends to V its own random string up, and then V reveals 
(Tv (and the coins used to encrypt it). The string a is computed as a-p ® a\>. 

Thus, V’s key pair is simply a key pair for an encryption scheme. The protocol 
is zero-knowledge essentially for the same reasons that the GGGM protocol is 
zero- knowledge: because the simulator can extract the decryption key from the 
proof of knowledge and thus find out a\> before needing to submit up . This will 
allow it to select cr as it wishes and thus use the NIZK simulator. 

The protocol is sequentially sound because if the theorem is false, then with 
respect to only a negligible portion of the possible strings cr does a NIZK proof of 
the theorem exist. Thus, if a malicious prover V* , after seeing only an encryption 
of cry, is able to come up with up such that the NIZK proof exists with respect 
to the resulting string a — up ® then one can use V* to break the security 
of the encryption scheme. 

The computational assumption for our protocol follows from the fact that 
trapdoor permutations are sufficient for encryption [KIM84IYa,o82 K IIj 89| . certi- 
fied trapdoor permutations are sufficient for NIZKs jFIjSDQj . one-way permuta- 
tions are sufficient for the proof of knowledge |fjlu 86 l (which is the same as in 
the GGGM protocol) and one-way functions are sufficient for PRFs |HILL99 |. 

Details of the Gonstruction. This construction, like the previous one, 
works for any languages L for which an NIZK proof system exists. Hence it 
works for all L € NP. 

The protocol below relies on parallel executions of three-round proofs of 
knowledge, which are performed in exactly the same way as in jGGGMOQj . We 
also use “complexity leveraging,” in a way similar to our three-round one-time- 
sound construction. Namely, let a be the indistinguishability constant for the 
encryption scheme (that is, the encryptions of two different strings are indistin- 
guishable from each other for circuits of size 2 ^ , where k is the security param- 
eter). Let 7 i be the following constant: for all sufficiently large n, the length of 
the NIZK proof II for x of length n is upper bounded by . Let 72 be follow- 
ing constant: n parallel repetitions of the proof-of-knowledge subprotocol can be 
simulated in time less that 2"^^. We then set 7 = max( 7 i, 72 ), and e > 7 / 0 . 



558 S. Micali and L. Reyzin 



We use NIZK with security parameter n and perform n parallel repetitions of 
the proof-of-knowledge subprotocol, while the encryption scheme has a (larger) 
security parameter k = rf. This ensures that one can enumerate all potential 
NIZK proofs n and simulate the proof of knowledge subprotocol in time 2” , 
which is less than the time it would take to break the indistinguishability of the 
encryption scheme (because 2"^ < 2^ ). 

The Protocol. For a security parameter n, the verifier V generates a pair 
{EncPK , EncSK) of keys for the encryption scheme with security parameter 
k = EncSK is V’s secret key, and EncPK is V’s public key. 



Public File: A collection F of records {id, EncPK id), where EncPK id is 

allegedly the output of V’s key generation 
Common Inputs: An element x € L 

V Private Input: The NP-witness y for x £ L; V’s id and the file F; 

a random string uj 

V Private Input: A secret key EncSK; a random string p 



V Step One: 1. 

2 . 

3. 



V Step One: 1. 



2 . 

3. 



V Step Two: 1. 

2 . 



V Step Two: 1. 

2 . 

3. 



V Step Three: 



Generate a random string a\> of length NIcrLen(n). 

Encrypt cry, using a portion pe of the input random string p, 
to get a ciphertext c. Send c to P. 

Generate and send to V the first message of the n parallel 
repetitions of the proof of knowledge of EncSK. 

Using the input random string w as a seed for PRF, generate a 
sufficiently long “random” string from the input to be used in 
the remaining computation by V. 

Generate and send to V random string cr-p of length NIcrLen(n). 
Generate and send to V the second message of the n parallel 
repetitions of the proof of knowledge of EncSK. 

Send (Ty and the coins pE used to encrypt it to V. 

Generate and send the third message of the n parallel 
repetitions of the proof of knowledge of EncSK. 

Verify that uy encrypted with coins pe produces ciphertext c. 
Verify the n parallel repetitions proof of knowledge of EncSK . 

If both verifications hold, let cr = ay © CTp. Using the NIZK 
prover NIP(ct, x, t/), compute and send to V the proof 77 of 
the statement “x G L.” 

Let cr = cry © CTp. Using the NIZK verifier NIV(cr, x, 77), verify 
if 77 is valid. If so, accept. Else reject. 



Completeness and RZK. Completeness of this protocol is, as usual, easily 
verified. The proof of resettable zero-knowledgeness is very similar to that of 
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once the simulator recovers SK from the proof of knowledge, it can 
find out (Tv before having to send a-p, and thus can run the NIZK simulator to 
get (a, n) and set crp = cr © try. 



Soundness. Sequential soundness can be shown as follows. Suppose V* is a 
malicious prover that can make V accept a false theorem with probability p(n) 
(where the probability is taken over the coin tosses of the V and V*). First, 
assume (for simplicity) that V* interacts with V only once (we will deal with 
the general case of a sequential malicious prover later). 

We will use V* to construct an algorithm A that breaks the encryption 
scheme. A is given, as input, the public key PK for the encryption scheme. Its 
job is to pick two strings tq and ri, receive an encryption of Th for a random bit 
b and tell whether 6 = 0 or 6 = 1. It picks tq and t\ simply as random strings 
of length NltjLen(n). Let c be the encryption of Tf,. Then A publishes PK as its 
public key, runs the first stage of V* to receive x, and initiates a protocol with 
the second stage of V* . 

In the first message, A sends c for the encryption of (Ty (for the proof-of- 
knowledge subprotocol, A uses the simulator, which runs in time 2"^^). It then 
receives ap from P*, computes <7^ = ap © and determines (by exhaustive 
search, which takes time 2" ^ ) if there exists an NIZK proof ITi for the statement 
X G L with respect to (Ji (for i = 0, 1). If Ili exists and Pli-i does not, then A 
outputs h = i. If neither ilo nor II \ exists, or if both exist, then A outputs a 
random guess for b. 

We now need to compute the probability that A correctly guessed b. Of 
course, by construction, 

Pr[A outputs b] = Pr[37Tf, and $IIi-t] + Pr[37T{, and 3iIi_b]/2 + 

Pr[^7T{, and ^7Ti_b]/2. 

Note that Pr[37Tf, and 37Ti_(,]+Pr[|7Tf, and ^7Ti_b] = 1 — (Pr[37T{, and + 

Pr[^7Tf, and 37Ti_{,]). Therefore, 

Pr[A outputs b] = 1/2 — Pr[|7T{, and 37Ti_b]/2 + Pr[377;, and JiIi_f,]/2 . 

Note that the either of the events $IIi, and can occur only ii x ^ L, by 

completeness of the NIZK system. Therefore, 

Pr[A outputs &] = 1/2 — Pr[^ilb and 37Ti_b and x ^ T]/2 + 

Pr[3ilb and and x ^ L]/2 

= 1/2 — Pr[JiIb and 37Ti_;, and x ^ L]/2 

+ Pr[37T{, and x ^ L]/2 — Pr[37T{, and 37Ti_(, and x ^ L]/2 
> 1/2 + pin ) /2 — Pr[37Ti_b and x ^ L\. 

However, Ti_b is picked uniformly at random and V* receives no information 
about it, so the string cri_b = ap (B T\-h is distributed uniformly at random. 
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SO, by soundness of NIZK, Pr[37Ti_f, and x ^ L] is negligible in n. Thus, A’s 
advantage is only negligibly less than p{n)l2. 

Now we address the case of sequential malicious provers. Suppose V* is an 
s-sequential malicious prover. Then V* initiates at most s(n) sequential conver- 
sations and wins if V accepts at least one of them for x ^ L. Then A simply 
guesses, at random, the conversation for which V* will succeed, and simply sim- 
ulates the other conversations by using the simulator for the proof of knowledge 
and honestly encrypting random strings. Only for that conversation does it use 
the procedure described above. This reduces A’s advantage by a polynomial fac- 
tor of at most s{n). □ 
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A Definitions of Completeness and RZK 

Completeness for a pair {V, V) is defined the usual way. Consider the following 

procedure for {V,V), a string x € L of length n and a string y. 

Procedure Normal-Interaction 

1. Run the key-generation stage of V on input 1" and a random string r to 
obtain PK,SK. 

2. Pick any id, and let E" be a public file that contains the record {id, PK). 

3. Pick strings uj and p at random and run V on inputs l'^,x,y, id,uj, and 
the verification stage of V on inputs SK,x,p, letting them interact. 

Definition 5. A pair {V,V) is complete for an NP-language L if for all n-bit 

strings x € L and their NP-witnesses y, the probability that in an execution of 

Normal- Interaction V outputs “accept” differs from 1 by a quantity negligible in 

n. 
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The notion of resettable zero-knowledgeness is a bit harder to define. We 
do not describe the motivation and intuition behind RZK and instead refer the 
reader to the original exposition of [(Xf(lM(in| . Also, note that here we define 
only black-box RZK (because it is the notion most relevant to this paper). That 
is, we demand that there exist a single simulator that works for all malicious 
verifiers V* (given oracle access to V*). 

We introduce a few more players before formally stating the definition. Let 

— An honest prover V, for the purposes of defining RZK, be viewed as a non- 
interactive TM that is given, in addition to the inputs given in Section El 
the entire history of the messages already received in the interaction, and 
outputs the next message to be sent. Fixing all inputs, this view allows one 
to think of P(l", x, y, F, id, to) as a simple deterministic oracle that outputs 
the next message given the history of the interaction. 

— An (s,t) -resetting malicious verifier V*, for any two positive polynomials s 
and t, be a TM that runs in two stages so that, on first input 1”, 

1. In stage 1, V* receives s(n) values xi , . . . , Xs{n) G A of length n each, and 
outputs an arbitrary public file F and a list of s(n) identities idi, , 

^^s{n) • 

2. In stage 2, V* starts in the final configuration of stage 1, is given oracle 
access to s{nY provers, and then outputs its “view” of the interactions: 
its random string and the messages received from the provers. 

3. The total number of steps of V* in both stages is at most t(n). 

— A black-box simulator M he & polynomial-time machine that is given oracle 
access to V*. By this we mean that it can run V* multiple times, each time 
picking V*’s inputs, random tape and (because V* makes oracle queries itself) 
the answers to all of V*’s queries. M is also given s(n) values x\, . . . , Xg(„) G L 
as input. 

Now we can formally define the resettable-zero-knowledgeness property. 

Definition 6. {V, V) is black-box resettable zero-knowledge for an NP-language 
L if there exists a simulator M such that for every pair of positive polynomials 
(s,t), for every {s,t) -resetting verifier V*, for every x\, . . . ,Xs{n) G L and their 
corresponding NP-witnesses yi, . . . ,ys{n), the following probability distributions 
are indistinguishable (in time polynomial in n): 

1. The output of V* obtained from the experiment of choosing ui, . . . ,u>s{n) 
uniformly at random, running the first stage of V* to obtain F, and then 
letting V* interact in its second stage with the following s{n)^ instances of 
V: 'P{xi,yi,F, idk,tOj) for l<i,j,k< s(n). 

2. The output of M with input xi, . . . ,x^(„) interacting with V* . 
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B Tools 

B.l Probabilistic Notation 

(The following is taken verbatim from [HI )M FHT| | and [(IM K.HSj .i If ^(-) is an 
algorithm, then for any input x, the notation “A(a;)” refers to the probability 
space that assigns to the string a the probability that on input x, outputs 
a. The set of strings having a positive probability in A{x) will be denoted by 
“{A(a;)}”. If 5” is a probability space, then “x A 5” denotes the algorithm which 
assigns to x an element randomly selected according to S. If F is a finite set, 
then the notation “x -A F” denotes the algorithm that chooses x uniformly from 
F. 

If p is a predicate, the notation PROB[x A S;y A T; • • • : p{x, y, • • •)] de- 
notes the probability that p(x, ?/,•••) will be true after the ordered execution of 
the algorithms x ^ S; y T; ■ ■ ■. The notation [x A F; y A F; • • • : (x, y, • • •)] 
denotes the probability space over {(x, y, • • •)} generated by the ordered execu- 
tion of the algorithms x A F, y A F, • • • . 

B.2 Non-interactive Zero- Knowledge Proofs 

Non-interactive zero-knowledge (NIZK) proofs for any language L G NP were 
put forward and exemplified in [IRFM88IRDMP9T) . Ordinary ZK proofs rely on 
interaction. NIZK proofs replace interaction with a random shared string, a, 
that enters the view of the verifier that a simulator must reproduce. Whenever 
the security parameter is 1", cr’s length is NIcrLen(n), where NIcrLen is a fixed, 
positive polynomial. 

Let us quickly recall their definition, adapted for polynomial-time provers. 
Definition 7. Let NIP (non-interactive prover) and NIV (non-interactive ver- 
ifier) be two probabilistic polynomial-time algorithms, and let NIcrLen be a pos- 
itive polynomial. We say that (NIP,NIV) is a NIZK argument system for an 
NP-language L if 

1. Completeness. x G L of length n, a of length NIcrLen(n), and NP-witness 
y for X, 

PROP [77 A NIP(ct, X, y) .• NIV(cr, x, 77) = YES] = 1. 

2. Soundness. \/ x G L of length n, 

PROB[cr A {0, l}NI^Len(n) . ^ JJ g p NIV(cr, X, 77) = YES] 
is negligible in n. 

3. Zero-Knowledgeness. There exists a probabilistic polynomial-time simulator 
NIS such that, V sufficiently large n,'i x of length n and NP-witness y for x, 
the following two distributions are indistinguishable by any polynomial-time 
adversary: 



[((t', 77') A NIS(x) .■ (cr',77')] and 

[a A {0, l}NI<rLen(n) . jj ^ y) . yj)] 
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The authors of [IHI )M P(TT] show that non-interactive zero-knowledge proofs 
exist for all NP languages under the quadratic residuosity assumption. The au- 
thors of IKI.M'ii.l show the same under a general assumptions: namely, that certi- 
fied trapdoor permutations exist (a family of trapdoor permutations is certified 
if it is easy to tell that a given function belongs to the family). We refer the 
reader to these papers for details. 

B.3 Verifiable Random Functions 

A family of verifiable random functions (VRFs), as proposed in [MPV99j . is 
essentially a pseudorandom function family with the additional property that 
the correct value of a function on an input can not only be computed by the 
owner of the seed, but also proven to be the unique correct value. The proof can 
be verified by anyone who knows the public key corresponding to the seed. 

More precisely, a VRF is a quadruple of functions. The function VRFGen gen- 
erates a key pair {VRFSK ,VRFPK). The function YKFFval{VRFSK , x) com- 
putes the pseudorandom output v; the function VRFProve( VRFSK, x) computes 
pf^, the proof that v is correct. This proof can be verified by anyone who knows 
the VRFPK by using VRFVer( VRFPK, x, v, pf f}] moreover, no matter how ma- 
liciously VRFPK is constructed, for each x, there exists at most one v for which a 
valid proof pf ^ exists. The pseudorandomness requirement states that, for all the 
points for which no proof has been provided, the function VRFEval( VRFSK, •) 
remains indistinguishable from random. The following formal definition is almost 
verbatim from [MfiV 99| . 

Definition 8. Let VRFGen, VRFEval, VRFProve, and VRFVer be polynomial- 
time algorithms (the first and last are probabilistic, and the middle two are de- 
terministic). Let a:N — >■ NU {*} and 6: N — >■ N be any two functions that are 
computable in time poly(n) and bounded by a polynomial in n (except when a 
takes on the value *). 

We say that (VRFGen, VRFEval, VRFProve, VRFVer) is a verifiable pseu- 
dorandom function (VRF) with input length a(n)fl and output length 6(n) if 
the following properties hold: 

1. The following two conditions hold with probability 1 — over the choice 
of {VRFPK, VRFSK) A VRFGen(l").- 

a) (Domain-Range Correctness): Vx S {0, VRFEval( FRFS'A, x) G 

b) (Complete Provability): Vx G {0, tf v = YWFFval{VRFSK,x) 
and pf = VRFProve( VRFSK, x), then 

PROB[VRFVer( VRFPK, x, v, pf) = YES] > 1 - 

(this probability is over the coin tosses o/ VRFVer/ 

® When a{n) takes the value it means that the VRF is defined for inputs of all 
lengths. Specifically, if a{n) = *, then {0, 1 }“G) jg interpreted as the set of all 

binary strings, as usual. 
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2. (Unique Provability) : For every VRFPK , x, v\, V 2 , pfi, and p /2 such that 

^ V 2 , the following holds for either i = 1 or i = 2: 

PROB[YRFYeT{VRFPK,x,v^,pfi) = YES] < 

(this probability is also over the coin tosses of YRFYer). 

3. (Residual Pseudorandomness): Let a > 0 be a constant. Let T = (Te,Tj) 
be any pair of algorithms such that Te{-, •) and Tj{-, •, •) run for a total of 
at most 2” steps when their first input is 1". Then the probability that T 
succeeds in the following experiment is at most 1/2-1- 1/2" ; 

a) Run VRFGen(l") to obtain {VRFPK, VRFSK). 

b) Run T™al(raF5i^..),VRFProve(ra^Sif..)(^„^ 

pair {x, state). 

c) Choose r {0,1}. 

i. ifr = 0, let v = VRFEval( VRFSK, x) . 
a. if r = 1, choose v A {0,1}^^”^ 

d) Run 1 j {l ,v, state) to obtain guess. 

e) T = {Te,Tj) succeeds if x € {0,1}“^”\ guess = r, and x was 
not asked by either Te or Tj as a query to VRFEval( FRFS'K', •) or 
YRFPTOve{VRFSK,-). 

We call a the pseudorandomness constant. 

The authors of pVTPV 99j show how to construct VRFs based on the following 
variant of the RSA assumption. (We refer the reader to that paper for details 
of the construction.) Let PRIMES„ be the set of the n-bit primes, and RSA„ 
be the set of composite integers that are the product of two primes of length 
L(n-1)/2J. 

The RSA’ Subexponential Hardness Assumption: There exists a constant 
a such that, if A is any probabilistic algorithm which runs in time 2" when its 
first input is 1", then, 

PROB[m A RSA„ ■, x ; p PRIMES„+i ; y A A(l", m, x,p) : 

= X (mod m)j < 1/2" . 
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Abstract. Non-Interactive Zero Knowledge (NIZK), introduced by 
Blum, Feldman, and Micali in 1988, is a fundamental cryptographic 
primitive which has attracted considerable attention in the last decade 
and has been used throughout modern cryptography in several essen- 
tial ways. For example, NIZK plays a central role in building provably 
secure public-key cryptosystems based on general complexity-theoretic 
assumptions that achieve security against chosen ciphertext attacks. In 
essence, in a multi-party setting, given a hxed common random string of 
polynomial size which is visible to all parties, NIZK allows an arbitrary 
polynomial number of Provers to send messages to polynomially many 
Verifiers, where each message constitutes an NIZK proof for an arbitrary 
polynomial-size NP statement. 

In this paper, we take a closer look at NIZK in the multi-party setting. 
First, we consider non-malleable NIZK, and generalizing and substan- 
tially strengthening the results of Sahai, we give the first construction 
of NIZK which remains non-malleable after polynomially-many NIZK 
proofs. Second, we turn to the definition of standard NIZK itself, and 
propose a strengthening of it. In particular, one of the concerns in the 
technical definition of NIZK (as well as non-malleable NIZK) is that the 
so-called “simulator” of the Zero-Knowledge property is allowed to pick 
a different “common random string” from the one that Provers must ac- 
tually use to prove NIZK statements in real executions. In this paper, we 
propose a new definition for NIZK that eliminates this shortcoming, and 
where Provers and the simulator use the same common random string. 
Furthermore, we show that both standard and non-malleable NIZK (as 
well as NIZK Proofs of Knowledge) can be constructed achieving this 
stronger definition. We call such NIZK Robust NIZK and show how 
to achieve it. Our results also yields the simplest known public- key en- 
cryption scheme based on general assumptions secure against adaptive 
chosen-ciphertext attack (CCA2). 

J. Kilian (Ed.): CRYPTO 2001, LNCS 2139, pp. 566-[Sn3 2001. 

© Springer- Verlag Berlin Heidelberg 2001 
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1 Introduction 

Interactive Zero-Knowledge. Over the last two decades, Zero-Knowledge 
(ZK) as defined by Goldwasser, Micali, and Rackoff has become a funda- 
mental cryptographic tool. In particular, Goldreich, Micali and Wigderson m 
showed that any NP statement can be proven in computational 0 ZK (see also 
m)- Though ZK was originally defined for use in two-party interactions (i.e., 
between a single Prover and a single Verifier), ZK was shown to be useful in 
a host of situations where multiple parties could be involved, especially in the 
multi-party secure function evaluation, first considered by Goldreich, Micali and 
Wigderson m- Informally, one reason the notion of interactive ZK has been 
so pervasive is that in the single Prover/ Verifier case, ZK essentially guarantees 
that any poly-time Verifier after interacting with the Prover in a ZK protocol 
learns absolutely nothing. Thus, informally speaking, whatever a poly-time Veri- 
fier can do after verifying a ZK protocol, it could also have done before such a ZK 
interaction. However, in a multiparty setting, perhaps not surprisingly, the stan- 
dard two-party definition of ZK does not guarantee what we would intuitively 
expect from “zero knowledge’: that the polynomial-time Verifier after observing 
such proofs can not (computationally) do anything that he was not able to do 
before such a proofs. Essentially, two important problems were pointed out in 
the literature: 

One problem, formally defined by Dolev, Dwork and Naor m is that of 
malleability, which informally means that an adversary who takes part in some 
ZK interaction can also interact with other parties and can exploit fragments 
of ZK interactions to prove something that he was not able to prove before. 
Indeed, this is a real problem to which m propose a solution that requires 
polylogarithmic overhead in the number of rounds of communication. It is not 
known how to reduce the number of rounds further in their solution. 

Another problem of ZK in the multi-party setting, pointed out by Dwork, 
Naor and Sahai ra, is that verifiers can “collaborate” when talking to provers, 
and the ZK property must be guaranteed even in concurrent executions. Indeed, 
unless one introduce changes in the model such as timing assumptions, in terms 
of the number of rounds, it was shown that a polylogarithmic number of rounds 
is both necessary |0| and sufficient pni to guarantee concurrent ZK. 

Non-interactive Zero-Knowledge (NIZK): A way to reduce the number 
of rounds in a ZK proof (to just a single message from Prover to Verifier) was 

^ Recall that several variants of ZK have been considered in the literature, in terms 
of the strength of the soundness condition and the strength of the simulation. In 
terms of the quality of the simulation, perfect; statistical; and computational ZK are 
defined ED. In terms of soundness two variants were considered: ZK proofs, where 
the proof remains valid even if an infinitely-powerful Prover is involved and 

ZK arguments, where it is required that only polynomially-bounded Provers cannot 
cheat (except with negligible probability), given some complexity assumption EE3- 
For ZK proofs for languages outside BPP were shown to imply the existence of one- 
way functions for perfect, statistical m (see also M) as well as computational m 
variants of ZK. 
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proposed by Blum, Feldman and Micali by changing the model as follows: we 
assume that a common random reference string is available to all players. The 
Prover sends a single message to Verifier, which constitutes “non-interactive 
zero-knowledge” (NIZK) proof. In it was shown that any NP statement has 
a NIZK proof. Extending Pj, Blum, De Santis, Micali and Persiano P showed 
how a Prover can prove polynomially many proofs based on algebraic assump- 
tions. Feig^Lapidot and Shamir further refined the definition of NIZK and 
constructecti multiple-proof NIZK based on general assumptions De Santis 
and Persiano extended NIZK notion to NIZK Proofs of Knowledge (NIZK-PK 
0 . 

Again, although the notion of NIZK was defined in a two-party setting, it 
quickly found applications in settings with many parties, in particular where 
the same reference string may be used by multiple parties (see e.g. UBI2SI1I22I). 
Because of the non-interactive nature of NIZK proofs, many multi-party issues 
that appear in ZK, do not arise in NIZK; for example the problem of concurrent 
zero-knowledge is completely gone0! 

The definition of NIZK proposed by mm , essentially provides the following 
guarantee: What one can output after seeing NIZK proofs is indistinguishable 
from what one can output without seeing any proofs, if you consider the reference 
string as part of the output. Thus, the standard notion of NIZK says that as long 
as one can simulate proofs together with random-looking reference strings, this 
satisfies the notion of NIZK. This definition, however, leaves open the question 
of what to do about output as it relates to the particular reference string that 
is being used by a collection of parties. Since the NIZK simulator produces its 
own different random string, its output would make sense only relative to the 
reference string that it chose, different from the one used by the provers.EIOne of 
the contributions of this paper is to strengthen the notion of NIZK to insist that 
the simulator works with the same totally random string that all the Provers 
work with. 

NIZK proofs are broadcastable and transferable - that is, a single proof 
string can be broadcasted or transferred from verifier to verifier to convince 
multiples parties of the validity of a statement. However, transferability causes 
a new problem: a user who have seen an NIZK proof (of a hard problem) can 
now “prove” (by simply copying) what he was not able to prove before. Indeed, 

^ Efficiency improvements to these constructions were presented in pnecni. 

® In the same paper jS] defined dense cryptosystems and showed that dense cryptosys- 
tems and NIZK proofs of membership for NP are sufficient in order to construct 
NIZK-PK for all of NP. This assumption was shown to be necessary for NIZK-PK 
in mi. (Dense cryptosystemes were also shown to be equivalent to extractable com- 
mitment mi.) 

In fact, non-malleable commitment also becomes much easier to deal with in the 
non-interactive setting mi. Also, though it is not always thought of as a multi-party 
issue, the problem of resettable zero-knowledge 0 is also easily dealt with for NIZK 
as well. 

® Indeed, it seems quite unfair to let the simulator get away with ignoring the actual 
reference string! 
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more generally the problem of malleability does remain for NIZK proofs: With 
respect to a particular (fixed) reference string, after seeing some NIZK proofs, 
the adversary may be able to construct new proofs that it could not have been 
able to otherwise. Sahai introduced non-malleable NIZK in m where he shows 
how to construct NIZK which remains non-malleable only as long as the number 
of proofs seen by any adversary is bounded. In this paper (among other con- 
tributions) we continue and extend his work, strengthening the notion and the 
constructions of non-malleability and removing the limitation on the number of 
proofs. (For further discussion on malleability issues in multi-party situations, 
see Appendix El) 

Our RESULTS: First, we consider the following notion of NIZK. The sampling 
algorithm produces a common random string together with auxiliary informa- 
tion. (We insist that the common random string comes from a uniform (or nearly 
uniform) distribution) . Polynomially-bounded provers use this common random 
string to produce polynomially-many NIZK messages for some NP language. We 
insist that the simulator, given the same common random string, together with 
auxiliary information, can produce the proofs of theorems which are computa- 
tionally indistinguishable from the proofs produced by honest provers for the 
same reference string. We call this notion same-string NIZK. 

We show two facts regarding same-string NIZK: (1) same-string NIZK Proofs 
(i.e. where the prover is infinitely powerful) are impossible for any hard-on- 
average NP-complete languages (2) same-string NIZK Arguments (i.e. where 
the prover is computationally bounded) are possible given any one-way trapdoor 
permutation. 

Next, we turn to non-malleability for NIZK, and a notion related to 
non-malleability called simulation-soundness first defined by Sahai [8d| . The 
simulation-soundness requirement is that a polynomially-bounded prover can 
not prove false theorems even after seeing simulated proofs of any statements 
(including false statements) of its choosing. Sahai achieves non-malleability and 
simulation-soundness only with respect to a bounded number of proofs. In this 
paper, we show that assuming the existence of one-way trapdoor permutations, 
we can construct NIZK proof systems which remain simulation-sound even after 
the prover sees any polynomial number of simulated proof^. Combined with m 
this also gives the simplest known construction of CCA2-secure public-key cryp- 
tosystem based on one-way trapdoor permutations. 

In dealing with non-malleability, we next turn to NIZK Proofs of Knowl- 
edge (NIZK-PK), introduced by De Santis and Persiano|BI. We use NIZK-PK 
to propose a strengthening of the definition of non-malleability for NIZK, based 

® We note that we can also achieve a form of non-malleability (as opposed to simulation 
soundness) for NIZK proofs of membership based only on trapdoor permutations. 
This non-malleability would also hold against any polynomial number of proofs, 
however the non-malleability achieved satisfies a weaker definition than the one we 
propose based on NIZK-PK (and in particular, the resulting NIZK proof would only 
be a proof of membership and not a proof of knowledge). We omit the details of this 
in these proceedings. 
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on NP-witnesses (which, in particular, implies the earlier definition jSMj i . We 
provide constructions which show that for any polynomial-time adversary, even 
after the adversary has seen any polynomial number of NIZK proofs for state- 
ments of its choosing, the adversary does not gain the ability to prove any new 
theorems it could not have produced an NP witness for prior to seeing any proofs, 
except for the ability to duplicate proofs it has already seen. This construction 
requires the assumption that trapdoor permutations exist and that public-key 
encryption schemes exist with an inverse polynomial density of valid public keys 
(called dense cryptosystems). Such dense cryptosystems exist under most com- 
mon intractability assumptions which give rise to public-key encryption, such 
as the RSA assumption. Quadratic Residuosity, Difhe-Hellman |B| and factoring 
|EJ- (In fact, in the context of NIZK-PK, we cannot avoid using such dense 
cryptosystems since they were shown to be necessary for any NIZK-PK m-) 

Finally, we call NIZK arguments that are both non-malleable and same-string 
NIZK Robust NIZK. 



We highlight the contributions of our results: 



— For NIZK arguments, we give the first construction where the simulator uses 
the same common random string as used by all the provers. 

— Our Robust-NIZK proof systems are non-malleable with regard to any poly- 
nomial number of proofs seen by the adversary and with respect to the same 
proof-system. (We contrast this with the previous result of which proves 
non-malleability against only a bounded number of proofs, and in fact the 
length of the reference string grew quadratically in the bound on the the 
number of proofs the adversary could see.) In our result, in contrast, the 
length of the reference string depends only on the security parameter. 

— Our non-malleable NIZK definition and construction based on NIZK-PK 
achieves a very strong guarantee: We require that one can obtain an explicit 
NP witness for any statement that the adversary can prove after seeing some 
NIZK proofs. Thus, it intuitively matches our notion of what NIZK should 
mean: that the adversary cannot prove anything “new” that he was not able 
to prove before (except for copying proofs in their entirety). 

— Finally, our construction yields the simplest known public- key encryption 
scheme based on general assumptions which is secure against adaptive 
chosen-cyphertext attacks (CCA2). 



We point out some new techniques used to establish our results. All previous 
work on non-malleability in a non-interactive setting under general assump- 
tions [i;fll2l,'f,'fj used a technique called “unduplicatable set selection” . Our first 
construction provides the first non-malleability construction based on general 
assumptions which does not use “unduplicatable set selection” at all, and rather 
relies on a novel use of pseudo-random functions of m In our second construc- 
tion, we show how to generalize the unduplicatable set selection technique to a 
technique we call “hidden unduplicatable set selection,” and use this to build 
our proofs. Both techniques are novel, and may have further applications. 
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Organization. In Section 2, we both recall old definitions as well as give the 
new definitions of this paper. In Section 3, we present our first construction of 
Robust NIZK and non-malleable NIZK (and NIZK-PK) proofs. In Section 4, 
we present our second construction which uses different techniques and a yields 
non-malleable NIZK and NIZKPK. 

2 Preliminaries and Definitions 

We use standard notations and conventions for writing probabilistic algorithms 
and experiments. If A is a probabilistic algorithm, then A{xi, X 2 , . . . ; r) is the 
result of running A on inputs xi, a; 2 , ■ • ■ and coins r. We let y ->r- A{xi,X 2 , ■ ■ ■) 
denote the experiment of picking r at random and letting y be A{x\,X 2 , . . . ; r). 
If S' is a finite set then a; -4— S is the operation of picking an element uniformly 
from S. X := a is a simple assignment statement. By a “non-uniform probabilistic 
polynomial-time adversary,” we always mean a circuit whose size is polynomial 
in the security parameter. All adversaries we consider are non-uniform. (Thus, 
we assume our assumptions, such as the existence of one-way functions, also hold 
against non-uniform adversaries.) 

In this section, we will formalize the notions of non-malleable, same-string 
and robust NIZK proofs. We will also define an extension of simulation sound- 
ness. 

2.1 Basic Notions 

We first recall the definition of an (efficient, adaptive) single-theorem NIZK 
proof systems Note that since we will always use the now-standard 

adaptive notion of NIZK, we will suppress writing “adaptive” in the future. We 
will also only concentrate on efficiently realizable NIZK proofs, and so we will 
suppress writing “efficient” as well. This first definition only guarantees that 
a single proof can be simulated based on the reference string. Note that our 
definition uses “Strong Soundness,” based on Strong NIZK Proofs of Knowledge 
defined in 0 and a similar notion defined in CHI, where soundness is required to 
hold even if the adversary may chose its proof after seeing the randomly selected 
reference string. Note that the constructions given in for instance, meet this 
requirement. We simultaneously define the notion of an NIZK argument, in a 
manner completely analogous to the definition of an interactive ZK argument. 

Definition 1 (NIZK [15Jb U = (f,P,V,5 = (5i,52)) is a single-theorem 
NIZK proof system (resp., argument) for the language L £ NP with witness 
relation R if: i is a polynomial, and P, V,iSi,52 are all probabilistic polynomial- 
time machines such that there exists a negligible function a such that for all 
k: 

(Completeness): For all x G L of length k and all w such that R{x,w) = 
true , for all strings a of length £{k), we have that V{x,R{x,w, a), a) = 
true . 
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(Soundness): For all unbounded (resp., polynomial-time) adversaries A, if a € 
is chosen randomly, then the probability that A{a) will output 
(x,p) such that x ^ L but V{x,p,a) — true is less than a{k). 



(Single-Theorem Zero Knowledge): For all non-uniform probabilistic poly- 
nomial-time adversaries A = (Ai, A 2 ), we have that 
|Pr [ Expt^(fc) = 1] — Pr Expt^(fc) = 1 \ <a{k), 
where the experiments Expt^(/c) and Expt^(fc) are defined as follows: 



Expt^(fc) : 

i; ^ {0, 

{x, w, s) ■<— Ai{S) 
p ^ P(x, w, E) 
return A 2 {p, s) 



Expt4(fc) : 

(r,r)^5i(l'=) 
{x, w, s) ^ ^l(^) 
p S2{x, E,t) 
return A 2 {p, s) 



To define a notion of NIZK where any polynomial number of proofs can be 
simulated, we change the Zero-knowledge condition as follows: 



Definition 2 (unbounded NIZK [15J l. FI = (£, P,V, 5 = (5i,52)) is an 
unbounded NIZK proof system for the language L G NP if II is a single-theorem 
NIZK proof system for L and furthermore: there exists a negligible function a 
such that for all k: 

(Unbounded Zero Knowledge): For all non-uniform probabilistic polyno- 
mial-time adversaries A, we have that |Pr[Expt^(fc) = 1] — [Expt^(fc) = 
1 ] I < a{k), where the experiments Expt^(fc) and Expt^(fc) are defined as 
follows: 



Expt^(A:) : 


Expt^(fc) : 


{0,1}^W 


(r,r)^5i(l'=) 


return A^^'’'’^^{S) 


return A^ krN.A (^JJ) 



where S'{x,w,E,t) = S2{x,E,t). 



Definition 3. We say that an NIZK argument system is same-string NIZK if 
the (unbounded) zero knowledge requirement above is replaced with the following 
requirement: there exists a negligible function a such that for all k: 
(Same-String Zero Knowledge): For all non-uniform probabilistic 
polynomial-time adversaries A, we have that |Pr[Ai = 1] — Pr[T = 1]| < 
a{k), where X and Y are as defined in (and all probabilities are taken 
over) the experiment Expt(fc) below: 

Expt(fc) : 

(if,T)^5i(l'=) 

where S'{x,w,S,t) S2{x, S ,t) . 
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(Same-String Zero Knowledge, cont.): The distribution on E produced by 
is the uniform distribution over {0,1}^^^^. 



Remark 1. We make two observations regarding the definition of same-string 
NIZK: 

— As done in cni, the definition could equivalently be one that states that with 
all but negligible probability over the choices of common random reference 
strings, the simulation is computationally indistinguishable from real proofs 
supplied by the prover. We omit the details for lack of space. 

— On the other hand, the definition above differs from the standard definition 
on unbounded zero knowledge only in the new requirement that the simulator 
produce truly uniform reference strings. It is easy to verify that all other 
changes are cosmetic. 

— In the next theorem, we show why we must speak only of same-string NIZK 
arguments, and not NIZK Proofs. 



Theorem 1. If one-way functions exist, then there cannot exist same-string 
(adaptive) NIZK Proof systems for any NP-complete language L, even for single- 
theorem NIZK. In fact, this result extends to any language that is hard-on- 
average with respect to an efficiently samplable distribution. 

Proof. (Sketch) We only sketch the proof of this impossibility result. Assume 
that one-way functions exist, and that a same-string (adaptive) single-theorem 
NIZK Proof system exists for an NP-complete language L. We will show a con- 
tradiction to the soundness of the NIZK Proof System. First we note that the 
existence of one-way functions and Cook’s theorem implies that there is a proba- 
bilistic polynomial-time algorithm M such that for all non-uniform polynomial- 
time machines A, if a: ^ the probability that A correctly decides whether 

X G L is only negligibly more than 1/2. It is implicit in the previous statement 
that with probability close to 1/2, if a; t— M(l^), then x ^ L. 

This hardness condition also implies that, in particular, the simulator must 
output proofs that are accepted with all but negligible probability when given 
as input x t— M(l^). At the same time, because the NIZK system is both same- 
string (adaptive) NIZK, it must be that the reference strings output by 5'i(l^) 
come from a uniform distribution. 

Now, consider a cheating (unbounded) prover which, for any given random 
string, guesses the auxiliary information r which maximizes the probability that 
the simulator outputs an accepting proof on inputs chosen according to x ^ 
M(l^). Since the reference string that the prover encounters is also uniform, 
it follows that the cheating prover will have at least as high a probability of 
convincing a verifier to accept on input x G- M(l^). But we know that the 
simulator causes the verifier to accept with probability negligibly close to 1. This 
contradicts the (unconditional) soundness of the NIZK proof system, completing 
the proof. 
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We also define the notion of an NIZK proof of knowledge |B| for an NP language 
L with witness relation R. Informally, the idea is that in an NIZK proof of 
knowledge, one should be able to extract the NP witness directly from the proof 
if given some special information about the reference string. We capture this 
notion by defining an extractor which produces a reference string together with 
some auxiliary information. The distribution on reference strings is statistically 
close to the uniform distribution. Given the auxiliary information and an NIZK 
proof, one can efficiently extract the witness. 0 show how to turn any NIZK 
proof system into a proof of knowledge under the assumption that public-key 
encryption schemes exist with sufficiently high density of valid public keys (called 
dense cryptosystems). We now recall the formal definition: 

Definition 4 (NIZK proof of knowledge [8J). II = (£,P,V,5 = (5i,52), 
E — (Ei,E 2 )) is a NIZK proof (or argument) of knowledge for the language 
L G NP with witness relation R if: II is an NIZK proof (or argument) system 
(of any type) for L and furthermore Ei and E 2 are probabilistic polynomial-time 
machines such that there exists a negligible function a such that for all k: 

(Reference-String Uniformity): The distribution on reference strings pro- 
duced by 

Ei{l^) has statistical distance at most a{k) from the uniform distribution 
on {0,1}^W. 

(Witness Extractability): For all adversaries A, we have that [Expt^(fc)] | > 
Pr[Expt^(fc)] — a{k), where the experiments Expt^(fc) and Expt^(/c) are 
defined as follows: 



Expt^(fc) : 


Expt^(fc) : 


^ {0, 


(i7,r)^Ei(U) 


(x,p) G- A{S) 


(x,p) ^ A{E) 


return V {x, p, E) 


w G- E 2 {E,t,x,p) 




return true if(x,w) G R 



2.2 Non-malleable NIZK 

We now proceed to define non-malleable NIZK. The intuition that our definition 
will seek to capture is to achive the strongest possible notion of non-malleability: 
“whatever an adversary can prove after seeing polynomially many NIZK proofs 
for statements of its choosing, it could have proven without seeing them, ex- 
cept for the ability to duplicate proofs. Extending the notion of NIZK-PK of 
De Santis and Persiano jH] we define non-malleable NIZK-PK. We will make the 
definition with regard to simulated proofs, but note that one can make a similar 
definition with regard to actual proofs; we omit it due to lack of space. 

^ When interpreting the line “it could have proven without seeing them,” we insist that 
an actual NP witness for the statement should be extractable from the adversary, 
which is a very strong NIZK-PK property. 
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Definition 5. [Non-Malleable NIZK] Let II = (£, 7^, V, 5) be an unbounded 
NIZK proof system for the NP language L with witness relation W. We say that 
7T is a non-malleable NIZK proof system ( or argument]^ for L if there exists a 
probabilistic polynomial-time oracle machine M such that: 

For all non-uniform probabilistic polynomial-time adversaries A and for all 
non-uniform polynomial-time relations R, there exists a negligible function a{k) 
such that 



Pr 



Expti^(A:) 



< Pr [ Expt'^(/c) ] -I- a{k) 



where Expt^ fj(k) and Expt^ are the following experiments: 



Expti^^(fc) : 


Expt(4,fl(A:) : 


(r,r)^5i(l'=) 

{x,p,avix) ^ A^^^'’^’^'>{S) 


{x,w,am) ^ 717^(1'=) 


Let Q be list of proofs given by 82 above 


return true iff 


return true iff 


{p^ Q ) and 




( V{x,p,E) = true ) auid 


( {x, w) G W) cuid 


( R{x, aux) = true ) 


( R{x, aux) = true ) 



We also consider (and strengthen) another notion for NIZK called simula- 
tion soundness m which is related to non-malleability, but also can be use- 
ful in applications - in particular, it suffices for building public-key encryption 
schemes secure against the strongest form of chosen-ciphertext attack (CCA2). 
The ordinary soundness property of proof systems states that with overwhelm- 
ing probability, the prover should be incapable of convincing the verifier of a 
false statement. In this definition, we will ask that this remains the case even 
after a polynomially bounded party has seen any number of simulated proofs 
of his choosing. Note that simulation soundness is implied by our definition of 
non-malleability above. 



Definition 6. [Unbounded Simulation-Sound NIZK] Let 77 = {i,'P,V,S = 
{ 81 , 82 )) be an unbounded NIZK proof system (or argument) for the lan- 
guage L. We say that 77 is simulation-sound if for all non-uniform probabilistic 
polynomial-time adversaries A, we have that 

Pr [ Expt^ Yj(fc) ] is negligible in k, 
where Expt^ ni^) is the following experiment: 

® To stress the main novelty of this definition, we will sometimes write “non-malleable 
in the explicit witness sense,” to indicate that an explicit NP-witness can be ex- 
tracted from any prover. We remark that our definition clearly implies the definition 
of 
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Expt^jj(fc) : 

(x,p) ^ 

Let Q be list of proofs given by ^2 above 

return true iff ( p ^ Q x L and V(x,p, S) = true ) 



Definition 7. We will call an NIZK argument that is non-malleahle and has 
unbiased simulations a robust NIZK argument. 

3 First Construction 

In this section, we exhibit our construction of NIZK proof systems that en- 
joy unbounded simulation-soundness. This construction is then readily modified 
using NIZK Proofs of Knowledge to construct proof systems with unbounded 
non-malleability (in the explicit witness sense), and robust NIZK arguments. 

Assumptions needed. In order to construct our simulation-sound proof systems 
for some NP language L, we will require the existence of efficient single-theorem 
(adaptive) NIZK proof systems for a related language L', described in detail 
below. Such proof systems exist under the assumption that trapdoor permuta- 
tions exist uni- Further, we will require the existence of one-way functions. To 
construct the proof systems with full non-malleability, we will require efficient 
single-theorem (adaptive) NIZK proofs of knowledge for the language L' . Such 
proof systems exist under the assumption that dense cryptosystems exist and 
trapdoor permutations exist 0. 

3.1 Ingredients 

Let k be the security parameter. We first specify the ingredients used in our 
construction: 

Commitment. We recall two elegant methods for constructing commitments. 
One, based on one-way permutations, will allow us to construct non-malleable 
NIZK arguments with unbiased simulations {i.e. robust NIZK). The other, which 
can be based merely on one-way functions, suffices to construct non-malleable 
NIZK proof systems. 

The theorem of Goldreich and Levin [HI immediately yields the following 
bit commitment scheme from any one-way permutation f on k bits: 

C{b, s) = (r, /(s)) where r Gr {0, 1}^ such that r ■ s = b 

Here, it should be that s Gr {0,1}^. Note that if s = 0^ and 6 = 1, then 
no choice of r will allow for r ■ s = 6. In this case, r is chosen at random, 
but the commitment is invalid. Since invalid commitments can only occur with 
probability at most 2“^, we can safely ignore this. To reveal the bit, the sender 
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simply reveals s. Observe that the distribution C{b,s) where both b and s are 
chosen uniformly has is precisely the uniform distribution over {0, 1}^^. We will 
sometimes write just C{b) to mean C{b, s) where s Gr {0, 1}^. Note that in this 
commitment scheme, every string of length 2k corresponds to a commitment to 
some unique string. 

On the other hand, we recall the bit commitment protocol of Naor m 
based on pseudorandom generators (which can be built from any one-way func- 
tion Let G be a pseudorandom generator stretching k bits to 3fc bits. The 
Naor commitment procedure commits to a bit b as follows: 



C{b,s) 



(r,G(s)) if 6 = 0 
(r, G(s)©r) if 6 = 1 



Here, r Gr {0, 1}^^, and as above the string s should be selected uniformly at 
random among strings of length k. Again, we will sometimes write just G(6) to 
mean C{b,s) where s Gr {0, 1}^. It is shown in | 22 | that if U and U' are both 
independent uniform distributions among strings of length 3fc, then the distribu- 
tions ([/, U'), G(0), and G(l) are all computationally indistinguishable (taken as 
ensembles of distributions indexed by k). Furthermore, it is clear that unless r 
is of the form G(si)©G(s 2 ) for some si and S 2 , there are no commitment strings 
that can arise as both commitments to 0 and commitments to 1. The probability 
of this being possible is thus less than 2“^ over the choices of r. Furthermore, 
the probability that a random sample from (U^U') could be interpreted as a 
commitment to any bit is at most 2~^ - in contrast to the one-way permutation 
based scheme above. 

Pseudo-Random Functions. We also let {/s}se{o,i}'= b® ^ family of pseudo- 
random functions ^ mapping {0, 1}* to {0, 1}*^. 

One-Time Signatures. Finally, let (Gen, Sign, Ver) be a strong one-time sig- 
nature scheme (see |2h|33j ) . which can be constructed easily from universal one- 
way hash functions. Note that these objects can be constructed from one-way 
functions. 



3.2 The Construction 

Intuition. The NIZK system intuitively works as follows: First, a verification- 
key /signing- key pair (VK,SK) is chosen for the one-time signature scheme. 
Then the prover provides a NIZK proof that either x is in the language, or that 
the reference string actually specifies a hidden pseudo-random function and that 
some specified value is the output of this pseudo-random function applied to the 
verification key VK. Finally, this proof is itself signed using the signing key SK. 

We now describe the proof system II for L precisely. Note that a third pos- 
sibility for the NIZK proof is added below; this is a technical addition which 
simplifies our proof of correctness. 

— Common random reference string. The reference string consists of three 
parts Si,E 2 , and 
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1. is a string that we break up into k pairs (ri,ci), . . . , (rk,Ck)- If we 
use the one-way permutation-based commitments, each and Cj are of 
length k; if we use the Naor commitment scheme, and Cj are of length 
3k. 

2. S 2 is a string of length 3k. 

3. S 3 is a string of length polynomial in k. The exact length of S 3 depends 
on an NIZK proof system described below. 

— Prover Algorithm. We define the language L' to be the set of tuples 
(x, u, V, Si, S 2 ) such that at least one of the following three conditions hold: 

• X G L 

• Si consists of commitments to the bits of the k bit string s, and u = 
fs{v)' Formally, there exists s = si . . . Sk with Si € {0, 1} for each i, and 
there exist ai,a2 , . . . , afc G {0, 1}^ such that u = fs{v) and such that for 
each i, (ri,Ci) is a commitment under C to the bit Si. 

• There exists s G {0, 1}^ such that S 2 = G(s) 

We assume we have a single-theorem NIZK proof system for L' (which we 
denote IT'). Note that the length of the reference string S 3 should be £n'{k). 
We now define the prover for L. On input x, a witness w, and the reference 
string S = (N'l, 172, N'3), the prover does the following: 

1. Use Gen(l^) to obtain a verification key / signing key pair (VK,SK) 
for the one-time signature scheme. 

2. Let u be uniformly selected from {0, 1}^. 

3. Using S 3 as the reference string and w as the witness, generate a single- 
theorem NIZK proof under 77' that (x, u, VK, Si, S 2 ) G L'. Denote this 
proof by tt'. 

4. Output {V K,x,u,tt' , SignsK{x,u,'x')). 

As a sanity check, we observe that if 77 = (77i, 772, is chosen uniformly, 
then the probability that 77i can be interpreted as the commitment to any 
bits and the probability that S 2 is in the range of G are both exponentially 
small in k. Thus, with all but exponentially small probability over the choice 
of 77i and 772, a proof that {x,u,V K, Si, S2) G L' really does imply that 
X € L. 

— Verifier Algorithm. The verification procedure, on input the instance 
X and proof {V K,x' , u,tt' , a), with respect to reference string 77 = (77i, 
772, 773), proceeds as follows: 

1. Confirm that x = x' , and confirm the validity of the one-time signature 
— i.e. that VervK{{x,u,'K'),cf) = 1. 

2. Verify that tt' is a valid proof that (x, u,VK, Si, S 2 ) G L' . 

— Simulator Algorithm. We now describe the two phases of the simulator 
algorithm. Si is the initial phase, which outputs a reference string 77 along 
with some auxiliary information r. S 2 takes as input this auxiliary informa- 
tion, the reference string, and an instance x, and outputs a simulated proof 
for X. The intuition for the simulator is that it sets up the reference string 
to be such that a hidden pseudo-random function really is specified, and in- 
stead of proving that x is in the language, the simulator simply proves that 
it can evaluate this hidden pseudo-random function on the verification key 
of the signature scheme. 
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s, 172 ^ {0, Ip; 17s ^ {0, lyn'ik) 

Qi ^ {0, 1}^ for z = 1, . . . , fc 
gi <— C{si, Ui) for i = 1 . . . . , fc 
= (5I) ff2, ■ ■ ■ ,9k) 
return S = {Ei, S 2 , ^ 3 ) and 

r = (s,Oi, ■ ■ ■ ,gfc) 

52 (t = (s,ai,...,Ofc),17 = (17i,172,173),a;) : 

{VK, SK) ^ Gen{iy 
u = MV K) 

Use U3 as ref string and r as witness to construct 
proof 7 t' that (x, tt, UKT, 17i, U2) S L' 
a ^ SignsK(x,u,7r') 
return (VK,x, u, tt', a) 



Theorem 2. If II' is a single-theorem NIZK proof system for L' , the proof 
system U described above is either: 

— an unbounded simulation- sound NIZK proof system for L if C is the Naor 
commitment scheme and one-way functions exist. 

— an unbounded simulation-sound same-string NIZK argument for L with if 
C is the commitment scheme based on one-way permutations and one-way 
permutations exist. 

Proof. As they are standard, we only sketch the proofs for completeness, sound- 
ness, and zero-knowledge. We provide the proof of unbounded simulation sound- 
ness in full. 

Completeness follows by inspection. For the case of NIZK proofs, soundness 
follows by the fact that if 17 is chosen uniformly at random, then the probability 
that El can be interpreted as a commitment to any string is exponentially 
small, and likewise the probability that 172 is in the image of the pseudorandom 
generator G is exponentially small. For the case of NIZK arguments, we will in 
fact establish not only soundness but the stronger simulation soundness property 
below. 

In the case where G is based on a one-way permutation, we note that the 
simulator’s distribution on E is exactly uniform, thus satisfying this property 
required by same-string NIZK. 

The proof of unbounded zero-knowledge follows almost exactly techniques 
of j I bj . First we note that if we modify the real prover experiment by replacing the 
uniform E\ with the distribution from the simulation (which in the case where G 
is based on one-way permutations is no change at all), but keep the prover as is, 
then by the security of the commitment scheme, the views of the adversary are 
computationally indistinguishable. Now, im show that single-theorem NIZK 
implies unbounded witness-indistinguishability. Thus, since the simulator for 
n uses only a different witness to prove the same statement, the view of the 
adversary in the simulator experiment is computationally indistinguishable from 
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the view of the adversary in the modified prover experiment. Thus, unbounded 
zero- knowledge follows. 

Unbounded simulation soundness - Ouerview. The proof of simulation sound- 
ness uses novel techniques based in part on a new application of pseudorandom 
functions to non-malleability. We also use a combination of techniques from d 
and Pj. As we do not use set selection at all, the proof is quite dif- 
ferent from that techniques from H333I- The intuition is as follows: Through 
the use of the signature scheme, we know that any proof of a false theorem that 
the adversary might output which is different from the proofs provided by the 
simulator must use a verification key VK that is new. Otherwise, providing a 
valid signature would contradict the security of the signature scheme. Once we 
know that the verification key VK must be different, we observe that the only 
way to prove a false theorem with regard to the simulated reference string is 
to provide a value u = fs(VK). By considering several hybrid distributions, we 
show that this is impossible by the security of pseudorandom functions and the 
witness-indistinguishability of the NIZK proof system II' for L' . 

Unbounded simulation soundness - Full Proof. We recall from the definition of 
unbounded simulation soundness the adversary experiment, and substitute from 
our construction, to build experiment Exptp. 



Exptg(l^) (Actual Adversary Experiment): 

Make Reference String E = {Ei, E 2 , E 3 ): 

E 2 ^ {0, l}^^ Tg ^ {0, lYn'U) 

El <r- commitments to bits of s using randomness ai, ... ,ak- 
Run adversary A. When asked for proof for a:, do: 

{VK, SK) ^ Gen{V) 
u = fs{VK) 

Use Ei as ref string and (s, ai, . . . , ak) as witness 
to construct proof V that {x, u, VK, Ei, E 2 ) £ L' 
a <— SignsK{x,u,Tv') 
return {V K,x,u,ti' , a) 

Let {x, 7 t ) be output of adversary. 

Let Q be list of proofs provided by simulator above, 
return true iff ( tt ^ Q and x L and V{x, tt, E) — true ) 



Let Pr[ExptQ(l^)] = p{k). We must show that p{k) is negligible. 

We denote the components of the proof tt output by the adversary as 
{V K,x,u,tt' , fj). Let T be the list of verification keys output by the simulator. 
(Note that with all but exponentially small probability, these verification keys 
will all be distinct.) We first consider the probability Pr[ExptQ(l^) and VK G T]. 
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In the case where this is true, we know that n ^ Q, and therefore this implies 
that the adversary was able to produce a message/signature pair for VK dif- 
ferent than the one given by the simulator. Thus, if Pr[ExptQ(l*) and VK G T] 
is non-negligible, we can use it to forge signatures and break the (strong) one- 
time signature scheme. Thus, Pr[ExptQ(l^) and VK G T] is negligible. Since 
p{k) = Pr[ExptQ(l^) and VK G T] -l- Pr[Exptg(l^) auid VK ^ T], we now need 
only focus on the second probability. Let po(k) = Pr[Exptg(l^) and VK ^ T], 
We now consider a second experiment, where we change the acceptance con- 
dition of the experiment: 



Exptj(l*^) (Accept only if u = fg{VK)): 

Make Reference String S = (Hi, S2, S3): 

S2 ^ {0, 1}“; H3 ^ {0, lyn'W 

s-^ { 0 , 1 }'= 

Hi commitments to bits of s using randomness ai, ... ,ak- 
Run adversary A. When asked for proof for a;, do: 

(VK, SK) ^ Gen(l'') 
u = fs{VK) 

Use H3 as ref string and (s, ai, . . . , ak) as witness 
to construct proof n' that (x, u, VK, Si, S2) G L' 
a SignsK(x,u,'K') 
return (VK, x,u,n' ,a) 

Let {x, 7T = [VK, X, u, 7t', a)) be output of adversary. 

Let Q be list of proofs output by simulator above. 

Let T be list of verification keys output by simulator above, 
return true iff 

( 7T ^ <5 and V(a;, tt, H) = true and VK ^ T and u = fs{VK)) 



Now, let pi{k) = Pr[Expti(l^)]. In Expt^, we insist that VK ^ T and replace 
the condition that x ^ L with fs{VK) = u. Note that with these changes, the 
experiment can be implemented in polynomial-time. Now, by the fact that U' is 
a proof system for L' , we know that \ix (ji L, then with overwhelming probability 
the only way the adversary’s proof can be accepted is if fs{VK) = u. (Recall 
that in all cases, II' is an NIZK proof system, not an argument.) Thus, we have 
that po{k) < pi{k) + a{k), where a is some negligible function. 

We now consider a third experiment, where we change part of the reference 
string H2 to make it pseudorandom: 

Let P2{k) = Pr[Expt2(l^)]. In Expt2, the only change we made was to make H2 
be pseudorandom rather than truly random. Thus, we must have that \p2{k) — 
Pi(^)| ^ a{k), where a is some negligible function. Otherwise, this would yield 
a distinguisher for the generator G. 

We now consider a fourth experiment, where instead of providing proofs 
based on proving u = fs{VK), we provide proofs based on the pseudorandom 
seed for H2: 

Let ps(fc) = Pr[Expt3(l*)]. In Expt3, the only change we made was to 
have the simulator use the seed for S2 as the witness to generate its NIZK 
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Expt2(l*^) (Change E2 to be pseudorandom): 

Make Reference String S = (Ifi, S2, S3): 
d-h- { 0 , 1 }'=; Let Tz = G{d). 

S3 ^ {Q,iyn'W 

{ 0 , 1 }'= 

Si t— commitments to bits of s using randomness ai, ... ,ak- 
Run adversary A. When asked for proof for x, do: 

{VK, SK) ^ Gen{iy 
u = fsiVK) 

Use S3 as ref string and (s, ai, . . . , at) as witness 
to construct proof tt' that (x, u,VK, Si, S2) G L' 
a t— SignsK{x,u,'n:') 
return (VK, x,u,n' ,a) 

Let (x, TT = (VK, X, u, tt', a)) be output of adversary. 

Let Q be list of proofs output by simulator above. 

Let T be list of verification keys output by simulator above, 
return true iff 

( 7T ^ <5 and V(x, TT, S) — true and VK ^ T and u = fs(VK)) 



Exptg)!*^) (Use seed for S2 to generate NIZK proofs): 

Make Reference String S = (Si, S2, S3): 
d-h- { 0 , l}^ Let S2 = G(d). 

S3 ^ { 0 , 1 }^^' 

{ 0 , 1 }'= 

Si t— commitments to bits of s using randomness ai, ... ,Uk. 
Run adversary A. When asked for proof for x, do: 

(VK, SK) ^ Gen(iy 
u = fs(VK) 

Use S3 as ref string and d as witness 

to construct proof n' that (x,u, V K, Si, S2) G L' 
a t— SignsK(x,u,'K') 
return (VK,x,u,tt' , a) 

Let (x, TT = (VK, x, u, 7 t', a)) be output of adversary. 

Let Q be list of proofs output by simulator above. 

Let T be list of verification keys output by simulator above, 
return true iff 

( TV ^ Q and V(x, tt, S) = true and VK ^ T and u = fg(VK)) 
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proof that {x,u,VK, Si, IJ 2 ) € L'. Note that this means that s and the 
randomness ai,...,ak are not used anywhere except to generate Si. Now, 
prove that any adaptive single-theorem NIZK proof system is also adap- 
tive unbounded witness-indistinguishable (see for the definition of witness- 
indistinguishable non-interactive proofs). The definition of adaptive unbounded 
witness-indistinguishability directly implies that \p 3 {k) — p 2 {k)\ < a{k), where 
a is some negligible function. 

We now consider a fifth experiment, where finally we eliminate all dependence 
on s by chosing Si independently of s: 



Expt 4 (l*^) (Make Ei independent of s): 

Make Reference String E = {Ei, E2, E3): 

{0,1}'“; Let Ta = G{d). 

E 3 ^ { 0 , 1 }^^'^'') 
s, s' •<— {0, 1}*’ 

El <— commitments to bits of s' using randomness ai, . . . , ak. 
Run adversary A. When asked for proof for x, do: 

{VK, SK) ^ Genii'^) 
u = f,{VK) 

Use E3 as ref string and d as witness 

to construct proof tt' that {x,u, VK, Ei, E2) € L' 
a •«— SignsK{x,u,'K') 
return {VK, x, u, n', a) 

Let (x, TT = (VK, X, u, n' , a)) be output of adversary. 

Let Q be list of proofs output by simulator above. 

Let T be list of verification keys output by simulator above, 
return true iff 

( 7T ^ Q and V{x, tt, E) — true and VK ^ T and u = fg{VK)) 



Let P 4 {k) = Pr[Expt 4 (l^)]. In Expt 4 , we choose two independent uniformly 
random strings s, s' and make Si into a commitment to s' rather than s. This 
has the effect of making Si completely independent of the string s. 

Suppose s°, ^ {0, 1}^; b ^ {0, 1}, and Si ^ commitments to bits of s^. 

By the security of the commitment scheme (either by Naor|2Z| or Goldreich- 
Levin depending on which scheme we use), we know that for every 

polynomial-time algorithm B, we have that Pr [i?(s°, s^, Hi) = b] < ^ + a{k), 
where a is some negligible function. 

Consider the following algorithm B: On input execute Expt 4 (or 

equivalently Exptg), except with s = s° and s' = s^, and using the value of Si 
specified as input to B. Return 1 if the experiment succeeds. 

Then: 

Pr[B = bj = ^ Pr[B = l\b = 1] + ^ Pi[B = 0\b = 0] 

= ^(1 -P4(A:)) + ^Pa(fc) 

= \ + \ {P3{k) -P4{k)) 
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Thus, we have that p^{k) — pi{k) < a{k) for some negligible function a. 
Finally, we consider the last experiment, where we replace the pseudorandom 
function / with a truly random function: 



Expt5(l*^) (Replace / with truly random function); 

Make Reference String E = {Ei, E 2 , E 3 ): 

{0, l}^ Let Tz = G{d). 

^3 ^ {0,l}'^rr'(fc) 

s, s' ^{0,1}" 

El t— commitments to bits of s' using randomness ai, at- 
Run A with oracle to simulator. When asked for proof of x, do: 
{VK, SK) ^ Genii'^) 

Use Es as ref string and d as witness 

to construct proof tt' that {x, u, VK, Ei, E 2 ) £ L' 
cr SignsK{x, u, tt') 
return {VK,x,u,tt' , a) 

Let (x,TT = {VK, x,u,tt' , a)) be output of adversary. 

Let Q be list of proofs output by simulator above. 

Let T be list of verification keys output by simulator above. 

Let u' ^ {0, 
return true iff 

( 7T ^ Q and V{x, tv, E) — true and VK ^ T and u = u') 



Let pv>{k) = Pr[Expt 5 (l^)]. In Exptg, we replace the pseudorandom function 
fa with a truly random function F, which simply returns a truly random value 
at each query point. Note that since we only consider the case where VK ^ T, 
this means that F{VK) will be a uniformly selected value (which we denote u') 
that is totally independent of everything the adversary sees. Thus, it follows that 
Pb{k) < 2“^ since the probability that any value output by the adversary equals 
u' is at most 2“*. 

On the other hand, we will argue that pn{k) and Pb{k) can only be negligibly 
apart by the pseudorandomness of {/g}. Consider the following machine M which 
is given an oracle O to a function from {0, 1}^ to {0, 1}^: Execute experiment 
Expt 4 (fc) except replace any call to fa with a call to the oracle. Note that s is 
not used in any other way in Expt 4 (/c). Return 1 iff the experiment succeeds. 

Now, if the oracle provided to M is an oracle for fa with s ^ {0, 1}^, then 
Pr[M*^ = 1] = Pi{k). If M is provided with an oracle for a truly random function 
F, then Pr[M'^ = 1] = p^{k). By the pseudorandomness of {/«}, it follows that 
\pi{k) — P 5 {k) \ < a{k) for some negligible function a. 

In conclusion, we have that Pb{k) < 2“^, and that Pi{k) < pi+i(fc) + a{k) for 
some negligible function a for each z = 0, 1,2, 3, 4. Thus, po{k) < (3{k) for some 
negligible function /3, which finally implies that p{k) is negligible, completing the 
proof. 

Theorem 3. If the NIZK proof system 77' in the construction above is replaced 
by a single-theorem NIZK proof of knowledge for L' , and assuming one-way 





Robust Non-interactive Zero Knowledge 



585 



functions exist, then U is an unbounded non-malleahle (in the explicit witness 
sense) NIZK proof system (or argument) for L. In particular if II was also 
same-string NIZK, then II is a Robust NIZK argument. 

Proof. (Sketch) This follows from essentially the same argument as was used 
above to prove that U is unbounded simulation-sound. We sketch the details 
here. 

To prove unbounded non-malleability in the explicit witness sense, we must 
exhibit a machine M that with oracle access to the adversary A produces an 
instance x, together with a witness w for membership of x G L, satisfying some 
relation. Recall that since 77' is a proof of knowledge, there are extractor ma- 
chines El and E 2 . We describe our machine M explicitly below: 



(Non-Malleability Machine): 

Make Reference String E — (Hi, H2, H3): 

(H3,r)^Hi(l'=) 

H2 ^ {0, 1}®'“ 

El commitments to bits of s using randomness ai, ... ,Uk. 
Interact with A{E). When asked for proof of x, do: 

{VK, SK) ^ Genii'^) 
u = fsiVK) 

Use E3 as ref string and (s, ai, . . . , a^) as witness 
to construct proof tt' that {x, u, VK,Ei, E2) € L' 
a SignsKix,u,n') 
return (VK, x,u,n' , a) 

Let (x, TT = (VK, X, u, tt' , a), aux) be output of adversary. 

Let w' <— E2(E, t, (x, u, VK, El, H2), tt') 

If w' is a witness for x £ L, return (x, w' , aux), else abort 



M essentially executes Expt^ f^(k) from the definition of non-malleability, 
except using Ei to generate H 3 , (recall that this output of Ei is distributed 
negligibly close to uniformly) and using E 2 to extract a witness from the NIZK 
proof for L' . We immediately see therefore that M will fail to meet the conditions 
of non-malleability only if there is a non-negligible probability that the witness 
w' returned by E 2 is not a witness for x G L and yet the proof tt' is valid. By 
construction, with all but negligible probability over E 2 and H 3 , this can only 
happen if w' is a witness for u = fs(VK). But the proof of simulation-soundness 
of 77 implies that the adversary can output such a u with a valid proof tt with 
only negligible probability. This shows that the probability of M’s success is only 
negligibly different than the probability of success in the experiment Expt^ nik). 

4 Second Construction 

In this section, we exhibit our second construction of NIZK proof systems with 
unbounded adaptive non-malleability (in the explicit NP-witness sense). Our 
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construction uses several tools, that can all be based on any NIZK proof of 
knowledge. In particular, this construction is based on a novel generalization 
of unduplicatable set selection which we call hidden undiplicatahle set 

selection which can be used to achieve unbounded non-malleability, and might 
be useful elsewhere, interest. 



An informal description. As a starting point, we still would like to use the 
paradigm of uni in order to be able to simulate arbitrarily many proofs, when 
requested by the adversary. In other words, we want to create a proof system 
where the simulator can use some “fake” witness to prove arbitrarily many the- 
orems adaptively requested by an adversary but the adversary must use a “real” 
witness when giving a new proof. 

One important step toward this goal is to use a new variation on the “undupli- 
catable set selection” technique (previously used in Ildll2lddl ) . While in previous 
uses of unduplicatable set selection, the selected set was sent in the clear (for 
instance, being determined by the binary expansion of a commitment key or a 
signature public key), in our construction such a set is hidden. 

Specifically, on input x, the prover picks a subset S of bits of the random 
string and proves that x € L or the subset S enjoys property P (to ensure 
soundness P is such that with overwhelming probability a subset of random bits 
does not enjoy P). The subset S is specified by a string s that is kept hidden 
from the verifier through a secure commitment. The same string s is used to 
specify a pseudo-random function fs and the value of fs on a random u is then 
used as source of randomness for the key generation of a signature scheme. To 
prevent that the adversary does not follow these instructions in generating the 
public key, our protocol requires that a non-interactive zero-knowledge proof 
for the correctness of this computation is provided. Thus, the prover actually 
produces two zero- knowledge proofs: the “real one” (in which he proves that 
X G L or the set S enjoys property P) and the “auxiliary proof” (in which he 
proves correctness of the construction). Finally, the two proofs are signed with 
the public key generated. 

This way, the generation of the public key for the signature scheme is tied to 
the selected set S in the following sense: if an adversary tries to select the same 
set and the same input for the pseudo-random function as in some other proof 
he will be forced to use the same public key for the signature scheme (for which, 
however, she does not have a secret key). 

Let us intuitively see why this protocol should satisfy unbounded non- 
malleable zero-knowledge. A crucial point to notice is that the simulator, when 
computing the multiple proofs requested by the adversary, will select a set of 
strings, set them to be pseudo-random and the remaining ones to be random, 
and always use this single selected set of strings, rather than a possibly different 
set for each proof, as done by a real prover; note however that the difference 
between these two cases is indistinguishable. As a consequence, the adversary, 
even after seeing many proofs, will not be able to generate a new proof without 
knowing its witness as we observe in the following three possible cases. 
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First, if the adversary tries to select a different set S' (from the one used in 
the simulation), then she is forced to use a random string. Therefore S' does not 
enjoy P and therefore she can produce a convincing real proof only if she has a 
witness for x £ L. 

Second, if the adversary tries to select the same set of strings as the one used 
in the simulation and the same input for the pseudo-random function as at least 
in one of the proofs she has seen, then she is forced to use the same signature 
public key and therefore will have to forge a signaturewhich violates the security 
of the signature scheme used. 

Third, if the adversary tries to select the same set of strings as the one used 
in the simulation and an input for the pseudo-random function different from 
all the proofs she has seen, she will either break the secrecy of the commitment 
scheme or the pseudorandomness of the pseudo-random function used. 

Tools. We use the following tools: 

1. A pseudo-random generator g = where : {0, 1}” — >■ {0, 1}^"; 

2. A pseudo-random family of functions / = {/s}sgi\i, where fs : {0,1} I'* I — >■ 

{0,1}I^I. 

3. A commitment scheme (Commit,VerCommit). 

On input a n-bit string s and a n“-bit random reference string a, for a 
constant a, algorithm Commit returns a commitment key com and a decom- 
mitment key dec of length n“. On input a, s, com, dec, algorithm VerCommit 
returns 1 if dec is a valid decommitment key of com as s and T otherwise. 

4. A one-time strong signature scheme (KG,SM,VS). 

On input a random string r of length for a constant a, algorithm KG 
returns a public key pk and a secret key sk of length n. On input pk, sk, 
a message m, algorithm SM returns a signature sig. On input pk,m,sig, 
algorithm VS returns 1 if sig is a valid signature of m or 0 otherwise. 

In the description of our proof system we will use the following polynomial- 
time relations. 

1 . Let ghe a, pseudorandom generator that stretches random strings of length n 

into pseudorandom string of length 2n. The domain of relation i?i consists of 
a reference string a, n pairs of 2n-bit strings {Ti^, and a commitment 

com such that com is the commitment of an n-bit string s = si o • • • o 
computed with reference string a and for each i = 1 , • • • , n there exists 
seedi G (0, 1}” such that Ti^si = 5 n(seedi). A witness for membership in the 
domain of Ri consists of the decommitment key dec, the string s and the 
seeds seed i , • • • , seed„ . 

2. Let KG be the key-generator algorithm of a secure signature scheme, |/s} 
a pseudorandom family of functions and g a pseudorandom generator that 
stretches random strings of length n into pseudorandom strings of length 2n. 
The domain of relation i ?2 consists of a public key pk, two reference strings 
CTo and (Ti, a commitment com, and an n-bit string u such that at least one 
of the following holds: 




588 



A. De Santis et al. 



a) String com is the commitment of an n-bit string s computed using a\ as 
reference string and pk is the output of KG on input fs{u). 

b) There exists an n-bit string tq such that (Tq = 5(?'o)- 

Witnesses of membership into i?2 are of two forms: either consist of decom- 
mitment dec and string s or of string rp such that tTp = 5(^0) • We denote by 
(A2,B2) a NIZK proof system of knowledge for relation R2. We denote by 
Eq2, E\2, S2 the simulator and extractor associated with (A3, B^). 

3. Relation R3 is the or of relation i?i and relation R. We denote by (A3, B^) a 
NIZK proof system of knowledge for relation R3. We denote by E03, i?i3, S3 
the simulator and extractor associated with (A3,i?3). 

The Construction. Let i? be a polynomial-time relation. 

Common input, x G {0, 1}". 

— Common random reference string. The reference string consists of five 
parts: 

So, Si,S2, r3,and T'4,where S4 = (T'4^i_o ° ^4,1,1) o • • • o {Si^n,o ° ^4,n.i)- 

— Prover Algorithm. On input a witness w such that R{x,w) = 1, do the 
following: 

1. Uniformly choose s G {0, 1}” and u £ {0, 1}”; 

2. let (com, dec) = Commit(Si, s); 

3. let r = fs{u) and (pk,sk) = Gen(l*,r); 

4. using reference string S2, input I2 = {pk, Sq, Ai, com, u) and and witness 
W2 = (dec, s), generate an NIZK proof of knowledge tt2 of W2 such that 
i?2(/2,W2) = l; 

5. using reference string S3, input I3 = {S^, com, x) and W3 = w as witness 
generate an NIZK proof of knowledge 7T3 of W3 that i?3(/3, W3) = 1; 

6. let mes = (com, u, 742, 7T3); 

7. compute signature sig = Sign{pk, sk,mes) and output {mes,pk, sig). 

— Verifier Algorithm. On input {com, u, 7^2, 1^3, sig) do the following: 

1. verify that sig is a valid signature of (com, u, 7T2, 743); 

2. verify that 742 and 743 are correct; 

3. if all these verification are satisfied then output: ACCEPT and halt, else 
output: REJECT and halt. 

The above protocol, as written, can be used to show the following 

Theorem 4. If there exists an efficient NIZK proof of knowledge for an NP- 
complete language, then there exists (constructively) an unbounded non-malleahle 
(in the explicit witness sense) NIZK proof system for any language in NP. 

Consider the above protocol, where NIZK proofs of knowledge are replaced by 
NIZK proofs of membership. The resulting protocol can be used to show the 
following 

Theorem 5. If there exists an efficient NIZK proof of membership for an NP- 
complete language, and there exist one-way functions, then there exists ( con- 
structively) an simulation-sound NIZK proof system for any language in NP. 

In Appendix 0 we present a proof of Theorem 0] (note that, as done for our first 
construction, we can use part of this proof to prove Theorem ED. 
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A Discussion of Usefulness of ZK in Multiparty Settings 

Goldreich, Micali, and Wigderson m introduced a powerful paradigm for using 
zero- knowledge proofs in multiparty protocols. The idea is to use zero-knowledge 
proofs to force parties to behave according to a specified protocol in a manner 
that protects the secrets of each party. In a general sense, the idea is to include 
with each step in a protocol a zero-knowledge proof that the party has acted 
correctly. Intuitively, because each participant is providing a proof, they can only 
successfully give such a proof if they have, in truth, acted correctly. On the other 
hand, because their proof is zero knowledge, honest participants need not fear 
losing any secrets in the process of proving that they have acted correctly. 

To turn this intuition into a proof that no secrets are lost, the general tech- 
nique is to simulate the actions of certain parties without access to their secrets. 
The definition of zero knowledge (in both interactive and non-interactive set- 
tings) is based on the existence of a simulator which can produce simulated 
proofs of arbitrary statements. This often makes it easy to simulate the actions 
of parties (which we call the high-level simulation) as needed to prove that no 
secrets are lost. 

The problem of malleability, however, can arise here in a subtle way. One 
feature of simulators for zero-knowledge proofs is that they can simulate proofs 
of false statements. In fact, this is often crucial in the high-level simulation of 
parties, because without knowing their secrets it is often not possible to actually 
follow the protocol they way they are supposed to. However, on the other hand, 
it may also be crucial in the high-level simulation that the proofs received by a 
simulated party be correct! As an example which arises in the context of chosen- 
ciphertext security for public-key encryption consider the following: Suppose 
in a protocol, one party is supposed to send encryptions of a single message m 
under two different public keys K\ and K2- According to our paradigm, this party 
should also provide a zero-knowledge proof that indeed these two encryptions are 
encryptions of the same message. Now, suppose the receiver is supposed to know 
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both decryption keys k\ and k 2 - But suppose that because we are simulating the 
receiver, we only know one key k\ . Suppose further that the simulator needs to 
decypher the message m in order to be able to continue the protocol. Now, if we 
could always trust proofs to be correct, knowing just one key would be enough, 
since we would know for sure that the two encryptions are encrypting the same 
message, and therefore the decryption of any one of them would provide us with 

771. 

Here is where the malleability problem arises: Perhaps a simulated party oc- 
casionally provides simulated proofs of false statements. If the proof system is 
malleable, another party could turn around and provide the receiver above with 
two inconsistent encryptions and a false proof that they are consistent. Now, in 
this case, the behavior of the simulated party would be different from the behav- 
ior of the real party, because the simulator would not notice this inconsistency. 
Indeed, this very problem arises in the context of chosen-ciphertext security, and 
illustrates how malleable proofs can make it difficult to construct simulators. If 
we look more closely, we see that more specifically, the problem is the possi- 
bility that an adversary can use simulated proofs to construct proofs for false 
statements. Sahai considered this problem by introducing the notion of a 
simulation- sound proof system, although he is not able to construct simulation- 
sound NIZK proof systems immune to any polynomial number of false proofs. 
(Note that our notion of non-malleability implies simulation soundness.) In this 
work, we show how to achieve simulation-sound NIZK proof systems immune to 
any polynomial number of false proofs. Our construction of such NIZK systems 
requires the assumption of one-way trapdoor permutations - a possibly weaker 
computational assumption then dense cryptosystems. 



B Proof for Our Second Construction 

First of all we need to show that the proposed protocol is an efficient NIZK 
proof system for the language equal to the domain of relation R; namely, that 
it satisfies the completeness and soundness requirements, and that the prover 
runs in polynomial-time, when given the appropriate witness. It is immediate 
to check that the properties of completeness and soundness are verified by the 
described protocol. In particular, for the completeness and the efficiency of the 
prover, note that since the honest prover has a witness for relation R, she can 
compute the proof 773 in step 5 and make the verifier accept; for the soundness, 
note that if the input x is not in the domain of relation R then since the reference 
string is uniformly distributed, input I 3 is not in the domain of relation R 3 and 
therefore, from the soundness of (^ 3 ,^ 3 ), the verifier can be convinced with 
probability at most exponentially small. 

In the rest of the proof, we prove the non-malleability property of our proof 
system. We start by presenting a construction for the adaptive simulator algo- 
rithm and the non-malleability machine, and then prove that, together with the 
above proof system, they satisfy the non-malleability property of Definition 0 
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The adaptive simulator algorithm. We now describe the simulator S algorithm 
for the proof system presented. S consists of two distinct machines: which 

constructs a reference string S along with some auxiliary information aux, and 
S2 which takes as input S, aux and an instance x ad outputs a simulated proof 
7 T for X. 



Algorithm 

1 . Randomly choose Uo £ { 0 , 1 }^", Si £ { 0 , 1 }" 
and S2 and S^-, 

2. randomly choose s £ {0, 1}"; 

3 . for i = 1 to n do 

randomly pick seeddrom {0, 1}"; 

set 1^4, i, Si = g(seedi); 

randomly pick X'4,ip_sifrom (0, 1}^"; 

4 . set S = So o Si o S2 o S3 o S4; 

5 . set aux = (s, seedi, • • • seed^); 

6. output (If, aux). 



Algorithm S2(S,aux,x). 

1 . Write aux as aux = (s, seedi, • ■ • seed„); 

2 . compute (com, dec)from Commit(Ifi, s); 

3 . randomly pick rifrom ( 0 , 1 }" and compute r = 

/s(m); 

4 . compute (pk,sk) = KG{r); 

5 . using reference string S2, input I2 = 
{pk, So, Si, com, u) and witness W2 = (dec,s), 
generate an NIZK proof of knowledge 7T2 of W2 
such that R2{h, W2) = 1 ; 

6. using reference string S3, input I3 = (If4,com,a;) 
and witness 

W3 = (dec, s, seedi, •••, seedn) generate an 
NIZK proof of knowledge 713 of W3 such that 
R3{h,W3) = 1 ; 

7 . set mes = (com, u, 7T2, 773); 

8. compute signature sig = Sign(pk, sk, mes) and 
output {mes, pk, sig). 



Note that the from the point of view of the adversary, the transcript output 
by the simulator S is indistinguishable from a real conversation with a prover, 
or otherwise either the secrecy of the commitment scheme or the security of the 
pseudorandom generator or the witness indstinguishability of the proof system 
used are violated. The proof of this is standard and is based on arguments from 

m- 

The non malleability machine M . The computation of the non-malleability ma- 
chine M can be divided into three phases. During the first phase, M creates 



594 



A. De Santis et al. 



a reference string along with some auxiliary information to be used later; in 
the second phase M receives strings from Adv and produces proofs 

7r^,...,7r^; finally, in the third phase it receives a proof tt* for input x* and 
extracts a witness w* from tt*. 

Input to M: security parameters 1 ". 

Phase 1 : Preprocessing. 

0 . Randomly choose Sq £ { 0 , 1 }^"; 

1. randomly choose G {0, 1}” ; 

2. run £^20 on input 1" to obtain £2 along with auxiliary information aux2; 

3 . run £30 on input 1 " to obtain £3 along with auxiliary information aux3; 

4 . randomly choose s G { 0 , 1 }"; 

5 . compute (com, dec) = Commit{Ei, s); 

6 . for f = 1 to n do 

randomly pick seed^from {0, 1}"; 

set S4,i,si = g(seedj); 

randomly pick £4^i^i_s^from {0, 1}^". 

Phase 2 : Interact with adversary Adv. When asked for proof of cc*, do: 

1. compute (com*, dec*)from C'oTOmtt(£i, s); 

2. randomly pick u^from {0, 1}” and compute r* = /s(u*); 

3 . compute (p/c*,sfc*) = £G(r*); 

4 . using reference string £2) input = (p/c*, £q, £1, com*, u*) and witness 
W2 = (dec*,s), generate an NIZK proof of knowledge of Wj such that 

£2(/|,m^|) = 1; 

5. using reference string £3, input = (£4, com*, a;*) and witness 

W3 = (dec*, s,seedi, • • • ,seed„) generate an NIZK proof of knowledge TTg of 
W3* such that W^) = 1; 

6 . compute mes* = (com*, u*, tt^, T r^); 

7 . compute signature sig'' = Sign{pk’‘ , sk^ ,mes’‘) and output {mes’' , pk’' , sig"^) . 
Phase 3 : Output. Receive (x*,7r*) from the adversary and do: 

1. let = £3i(£3,aux3,x*,7r*); 

2 . if is a witness for x £ L then return else return _L. 

Next we prove the non-malleability property. Note that if the adversary is 
successful in producing a convincing new proof tt* then she is also producing a 
convincing proof of knowledge 7 t| that some input I3 belongs to the domain of 
relation £3. Using this proof, M can extract a witness IU3 such that £3(73, IU3) = 
1 . By the construction of £3, this witness is either a witness for £ (in which case 
M is successful) or a witness for £1 . Therefore the non-malleability property of 
our proof system is proved by the following 
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Lemma 1. The probability that, at Phase 3, M extracts from proof it* a witness 
for relation R\ is negligible. 

Proof. First of all we assume that the proof returned by the adversary is ac- 
cepting (namely, both proofs ttJ , 7t| in tt* for relations R 2 , R 3 , respectively, are 
accepting), otherwise there is nothing to prove. We then consider the following 
cases and for each of them we show that the probability is negligible for otherwise 
we would reach a contradiction by showing that Adv can be used to contradict 
one of our original assumptions about the cryptographic tools used. 

Case (a): The adversary has used a string s* different from s. 

Case (b): The adversary has used the same string s and a value u* equal to 
for some j. 

Case (c): The adversary has used the same string s and a value u* different 
from all m*’s. 

Proof for Case (a). Suppose s* yf s and let i be such that s* yf Si. Then with very 
high probability there exists no seed* such that g(seed*) = Therefore, 

there exists no witness Wf for and relation i?i and thus by the soundness of 
the proof system used the verifier will reject with very high probability. 

Proof for Case (b). We denote by I the number of queries performed by Adv and 
by • • • , u* the values used by M in answering the I queries of Adv and by u* 
the value used by Adv in its proof tt. 

Assume that there exists j G {1, . . . , ^} such that u* = uC Then, given that 
Adv has used the same pseudorandom functions, and that we are assuming that 
the proof returned by Adv is accepting, it must be the case that Adv has used 
the same public key pk^ as M. 

Therefore, if the proof tt* generated by Adv is different from the proofs pro- 
duced by M during Phase 2, it can be for one of the following two reasons 
(a) 7T contains a tuple (com*, m*, ttJ, TT g) different from the corresponding tuple 
(comC u-1, 7T2, TTg) used by M to answer the j-th query or (b) exhibit a different 
signature. 

In case (a), Adv can be used to violate the unforgeability of the signature 
scheme used as it manages to produce a message and to sign it without having 
access to the secret key for the signature scheme. 

Case (b) is ruled out by the property of the signature scheme employed saying 
that, given message m and its signature sig, it is hard to provide a new signature 
of m that is different from sig. 

Proof for Case (c). In this section we show that the probability that M obtains 
in Phase 3 a witness W for relation i?i and that the proof produced by the 
adversary has used the same values s as M and a different u is negligible. 

We consider a series of 4 polynomial-time experiments Exptg, . . . , Exptg with 
the event that Exptg (1") gives 1 in output being exactly the experiment of M 
interacting with Adv we are interested in. 
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Thus, denoting by Pi{n) the probability Pr [ Exptj(l”) ] = 1, we need to show 
that po{n) is negligible. We do so, 1) by showing that the output of the experi- 
ments Exptj(l”) and Exptj_,_;^(l”) are indistinguishable and thus |pi(n) — Pi+i(n)| 
is negligible for i = 0, 1, 2; 2) by showing that psin) is negligible. 

1. Expt(,(l”). 

ExptQ(l") is exactly experiment Expt^ the experiment of the adversary 
interacting with algorithm M. We only modify Phase 3. 



Phase 3: Output. Receive from Adv. 

1. Write 7 T* as tt* = (com*, tt*, ttJ, 7 T 3 ,pfc*, sig*). 

2. Let Wi = Ei 2 {S 2 ,aux 2 ,x,TT 2 ). 

3. Write W 2 as W 2 = (dec, s). 

4. Let W 3 * = Ei 3 {E 3 ,aux 3 ,x,TV 3 ). 

5. If W 3 is a witness for x £ L then output 0. 

6 . Write W 3 as W 3 = (dec*, s*, seedi, • • • , seed((). 

7. Output 1 iff s* = s and u* 5 ^ tf’, for j = 1, - ■ ■ ,1. 



2. Expti(l"). 

In Expt 2 (l") random string is the output of generator (/„ on input a 
random n-bit string and the proofs at steps 4 and 5 of Phase 2 of M are 
produced using as witness. 



Phase 1: Pre-Processing. Similar to Phase 1 of M with step 0 replaced 

with the following. 

0. Randomly choose ro G {0, 1}" and set Eo = Pn(ro). 

Phase 2: Interacting with adversary. Receive x^ from Adv. 

Receive a;* from Adv. 

Modify steps 4 and 5 of Phase 2 of M in the following way: 

4. using reference string E 2 , input I 2 = {pE , Eq, Ei,com^ ,u’’) and wit- 
ness W 2 = (ro), generate an NIZK proof of knowledge of IV 2 such 
that i? 2 (/|, W|) = 1 ; 

5. using reference string E3, input I3 = (E4, com*, and witness IV3 = 
(s, seedi, • • • seed„) generate an NIZK proof of knowledge ttJ of W 3 
such that i?3(4, W 3 ) = 1; 

Phase 3: Output. Same as Exptg. 



The output of Exptf) and Exptj^ are indistinguishable for otherwise we would 
violate either the pseudorandomness of the generator g or the witness in- 
distinguishability of the proof system. This can be viewed by consider an 
intermediate experiment in which Eq is output of g but the proof do not use 
it as witness. 
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3. Expt2(l"). 

Expt 2 differs from Exptj^ in the fact that pk is computed by K'G on input a 
random value. 



Phase 1: Pre-Processing. Same as Exptj. 

Phase 2: Interact with the adversary. Receive from Adv. 

Modify step 3. of Phase 2 of M in the following way. 

2. Randomly select r* from {0, 1}" and compute (pkI,sP) = KG{P). 

Phase 3: Output. Same as Expt^. 



To prove that the distribution of the output of Exptj^ and Expt 2 are indis- 
tinguishable we define experiments Expt 2 ^ , for j = 0, • • • , h In the first j 
executions of Phase 2 of Expt 2 j, the public file is computed as in Expt^ and 
in the subsequent executions as in Expt 2 . Thus distinguishing between the 
output of Expt 2 and Exptj^ implies the ability to distinguish between Expt 2 j 
and Expt 2 (j+i)> for some 0 < j <1 — 1, which contradicts either the security 
of the commitment scheme or the pseudorandomness of /. 

To substantiate this last claim, we consider the following three experiments. 
For sake of compactness, we look only at the relevant components of the 
proof, that is, the commitment com, the value u and the public key pk; we 
do not consider the remaining components since they stay the same in each 
experiment and their construction can be efficiently simulated. 



Expt,,(l") 


Expt,(l") 


1. Pick s,r at random from 


1. Pick s,r at random from 


{0,1}". 


{0,1}". 


2. Compute commitment com 


2. Compute commitment com 


of s. 


of s. 


3. Pick u at random from 


3. Pick u at random from 


{0,1}". 


{0,1}". 


4. Compute pfc = R'G(/s(m)). 


4. Compute pk = KG{fr(u)). 


5. Output (com, M,pfe). 


5. Output (com, M,pfc). 



Expt,(r) 

a) Pick s,r at random from 

{ 0 , 1 }". 

b) Compute commitment com 
of s. 

c) Pick u at random from 

{ 0 , 1 }". 

d) Compute pk — KG{r). 

e) Output (com,u,pk). 
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Now we have the following two observations: 

Obs. 1 Expt^ and Exptj, are indistinguishable. 

Suppose they are not and consider the following adversary A that con- 
tradicts the security of the commitment scheme. A receives two random 
n-bit strings s and r and a commitment com of either s or r and per- 
forms the following two steps. First A picks u at random from { 0 , 1 }” 
and then computes pk as pk = KG{fs{u)). 

Now notice that if com is a commitment of s then the triplet {com, u,pk) 
is distributed as in the output of Expt^(l”). On the other hand if com is 
a commitment of r, then {com,u,pk) is distributed as in the output of 
Exptf,(l”). 

Obs. 2 Exptf, and Expt^ are indistinguishable. 

Suppose they are not and consider the following adversary A that con- 
tradicts the pseudorandomness of f. A has access to a black box that 
computes a function F that is either a completely random function / 
or a pseudorandom function fr for some random n-bit string r. A per- 
formes the following steps to construct a triplet {com,u,pk). A picks s 
at random, computes a commitment com of s, picks u at random, feeds 
the black box u obtaining t = F{u) and computes pk as pk = KG{t). 
Now notice that if f is a random function then then {com,u,pk) is 
distributed as in the output of Exptg(l"). On the other hand if F is a 
pseudorandom function fr for some random r then {com,u,pk) is dis- 
tributed as in the output of Exptj(l"). 

By the above observations Expt^j (the simplified version of Expt 2 j) and Expt,, 
(the simplified version of Expt2 are indistinguishable. 

4. Expt3(l”). 

Expt3 differs from Expt2 in the fact that a random string s' is committed to 
instead of string s. 



Phase 1: Pre-Processing. Same as Expt 2 with the following exception: 
step 4 is modified as follows: 

4. randomly pick s, s,' G {0, 1}"; 

Phase 2: Interact with the adversary. Receive x' from Adv. 

Modify step 1 of M in the following way: 

1. Compute {com^,deP) = Commit{Si, s') uniformly choose u' € 

{ 0 , 1 }". 

Output. Same as Exptp. 



The distributions of the output of Expt3 and Expt2 are indistinguishable for 
otherwise we could distinguish commitment. 

Finally, observe that in Expt3(l”), what is seen by Adv is independent from 
s. Thus the probability that Adv guesses s is negligible. Therefore, psin) is 
negligible. 
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